Connecting your identity provider to Confidencial

ℹ️ This document shows you how to connect to your identity provider, allowing your enterprise’s users to log in to Confidencial using their existing accounts.

⚠️ Please contact your Confidencial support representative before beginning this process to ensure you have the proper components to proceed

The details of how to connect to your identity provider (IDP) vary depending on the IDP being connected, but in most cases, the process amounts to creating an application within your IDP and then assigning users to that application. See the links below for how to connect to your IDP.

Creating an application in Okta

1. Log in to your Okta instance’s admin portal

2. Click Applications under the Applications item in the side menu

3. Click the Create App Integration button

4. Select OIDC - OpenID Connect and Web Application for Sign-in method and Application type, respectively; click Next

5. Ensure the following settings are entered:

   1. App integration name: Confidencial

   2. Grant type: Authorization Code (the only option that should be selected)

   3. Sign-in redirect URIs: https://auth.confidencial.io/login/callback

   4. Sign-out redirect URIs: https://my.confidencial.io

   ⚠️ Redirect URIs will be different than those listed above for sandbox deployments. Your Confidencial technical contact will provide these URIs in these cases.

6. For Controlled access, select either “Allow everyone in your organization to access” or “Limit access to selected groups,” depending on who you want to be able to log in to Confidencial.

   1. If you selected “Allow everyone…,” leave “Enable immediate access with Federation Broker Mode” selected if you want everyone in your organization to be able to access Confidencial. Deselect “Enable immediate access with Federation Broker Mode” if you want to specify the users and groups that can access Confidencial.

   2. If you selected “Limit access…,” enter the group(s) you’d like to access Confidencial under Selected group(s).

7. Click Save

ℹ️ This completes creation of the Okta application and generates a Client Secret that must be securely transmitted to Confidencial during account set up (along with the Okta Domain and Client ID).

➡️ Proceed to the next section, *Creating Confidencial roles for Okta users*

Creating Confidencial roles for Okta users

For each role you would like to define in Confidencial:

1. Click Groups under the Directory item in the side menu

2. Click Add Group

3. In the Name field, enter a name for the role (Okta group). In this example, we create a role called C11-Admins.

4. In the Description field, enter the Confidencial permissions you would like to grant to members of this role

   • crud:config-org: Allows an administrator to create, read, and delete admin config settings for an organization

   • crud:invitations-org: Allows an administrator to create, read, and delete invitations for an organization

   • crud:signature-keys-org: Allows an administrator to create and update (replace) electronic signature keys from all members in an organization

   • crud:groups-org: Allows an administrator to create, read, update, and delete groups within an organization
5. Click Save

6. With the Okta group created, take note of the Okta group ID; this will be needed in the next section, Create the Okta authorization server for Confidencial

   1. To get the group ID of the group you created, go to the group in Okta and note the last part of the URL
   2. In the example above, the group ID is 00g9372cmsozlGYI25d7

7. Add the users to the group to which you would like to assign these permissions

🔁 Repeat Steps 1-7 above for each role you would like to define in the Confidencial system. You can create up to 100 roles for Confidencial users, roles can contain any combination of permissions, and users can belong to any combination of roles.

➡️ Proceed to the next section, Creating the Okta authorization server for Confidencial

Creating the Okta authorization server for Confidencial

1. Click API under the Security item in the side menu

2. Click Add Authorization Server

3. For Name, enter Confidencial and for Audience enter api://confidencial.io
4. Click the Scopes tab, then click Add Scope
5. Enter the following values:

   1. Name: groups

   2. Display phrase: groups

   3. Description: Allows group membership to be passed in token

   4. Use default values for the other fields, as shown below
6. Click Access Policies, then click Add New Access Policy
7. Enter the following values:

   1. Name: Default

   2. Description: Default

   3. Assign to: Add the Okta application you created in the previous section, Creating an application in Okta
8. Add a rule to govern access to this authorization server, ensuring that “authorization code” is permitted; set access token and refresh token lifetimes as desired

9. Click the Claims tab, then click Add Claim
10. Enter the following values:

    1. Name: permissions

    2. Value: Arrays.flatten(getFilteredGroups({"group-id-1", "group-id-2", ... , "group-id-n"}, "Arrays.flatten(group.description)", 100))

       1. Replace "group-id-1", "group-id-2", ... , "group-id-n" in the above statement with the list of group IDs you created in the section above, Creating Confidencial roles for Okta users

       2. Group IDs should be wrapped in double quotes (”) and separated by commas (,), with the entire list of group IDs wrapped in curly braces ({ })

    3. Use default values for the other fields, as shown below
11. Click Create

➡️ Proceed to the next section, Assigning users to an application in Okta

Assigning users to an application in Okta

ℹ️ These steps are not necessary if you left “Enable immediate access with Federation Broker Mode” selected in Step 6 of Creating an application in Okta above.

1. Click Applications under the Applications item in the side menu

2. Click Confidencial in the list of applications

3. Click the Assignments tab

4. Click Assign to add users and groups that can log in to Confidencial

✅ This completes the setup of Okta for use with Confidencial. You will now work with the Confidencial team to securely transmit application details.

Creating an application in Microsoft Entra ID (formerly Azure Active Directory)

2. Click Microsoft Entra ID

3. Click App registrations from the side menu

4. Click New Registration from the top toolbar

5. Ensure the following settings are entered:

   1. Name: Confidencial

   2. Supported account types: Select either “Accounts in this organizational directory only,” “Accounts in any organizational directory,” or Accounts in any organization directory and personal Microsoft accounts,” depending on who you want to be able to join your Confidencial organization
   3. Redirect URI: Choose “Web” in the Select a platform drop down menu and enter https://auth.confidencial.io/login/callback in the input box

6. Click Register

7. Click App registrations from the side menu

8. Click Confidencial in the list of applications (you may need to select the All applications tab to view it)

9. Click Token configuration (under Manage) from the side menu

10. Click Add optional claim

11. Select ID, then select email, and then click Add

12. Check the box to enable email permission, then click Add

13. Return to the main Entra menu

14. Click Enterprise applications from the side menu

15. Click Confidencial in the list of applications

16. Click Properties (under Manage) from the side menu

17. If you want to specify the users that can log in to Confidencial, set Assignment required to “Yes,” otherwise, all users* will be able to log in to Confidencial
18. Click App registrations from the side menu

19. Click Confidencial in the list of applications (you may need to select the All applications tab to view it)

20. Click Certificates & secrets (under Manage) from the side menu

21. Click Add new client secret

    1. Description: Confidencial IDP integration

    2. Expires: 730 days (24 months)

22. Click Add

⚠️ Make note of Value, as this client secret will need to be securely transmitted to Confidencial and is only viewable during initial creation

ℹ️ This completes creation of the Entra ID application and generates a client secret that must be securely transmitted to Confidencial during account set up (along with the Entra Domain and Client ID).

➡️ Proceed to the next section, Assigning users to an application in Entra ID

Assigning users to an application in Entra ID

ℹ️ These steps are only necessary if you selected “Yes” for Assignment required in Step 10 above.

1. From the Microsoft Entra ID home screen, click Enterprise applications from the side menu

2. Click Confidencial in the list of applications

3. Click Users and groups (under Manage) from the side menu

4. Click Add user/group to add users and groups that can log in to Confidencial

✅ This completes the setup of Entra ID for use with Confidencial. You will now work with the Confidencial team to securely transmit application details.

Setting elevated permissions for users in Entra ID

Generating a CSV users file(s) in Entra ID

1. Click Users from the side menu

2. Apply any filters wanted when narrowing down the list of users that will have a set of permissions OR permission in general

   ℹ️ Admins may want to exclude the Guest user type here potentially as an example

3. Click Download users

4. Input a name for the file and click Start download

5. Click File is ready! Click here to download once file is complete

6. Open the CSV file as comma delimited starting at row 1

7. Add a new column to the end of the table called permissions

8. Add comma separated permissions as a single string for each user that should have the related permissions in Confidencial - example: crud:members-org, crud:groups-org

ℹ️ Users with their permissions field empty will have no admin permissions when script is run later

1. Save your changes once complete.

2. Complete steps 2-7 for as many other csv files you might want to create.

Assigning user permissions in Entra ID via PowerShell scripts

1. Click App registrations from the side menu

2. Click Confidencial in the list of applications (you may need to select the All applications tab to view it)

3. Click API Permissions (under Manage) from the side menu

4. Click Add a permission

5. Select Microsoft Graph from the list of options, then click Application permissions

6. In the Select permissions search box, search for permission Directory.ReadWrite.All

7. Expand Directory by clicking the “>” symbol

8. Select the checkbox for Directory.ReadWrite.All and click Add permissions

9. Click Grant Admin Consent for Confidencial and then Yes to confirm this action

10. Run createExtProp.ps1 using PowerShell to create the permissions extension property

    ℹ️ Contact your Confidencial support representative to obtain the PowerShell scripts

    1. You will need to supply the tenant ID, client ID, app ID, and client secret corresponding to your app registration for Confidencial as command-line arguments to the script

       1. If you do not know your client secret, you will need to create a new one for the app registration; be sure to keep your original secret that was created during the initial set up of the app registration

    2. Copy the extension property ID once created and save for a later step

       1. This will be under name and will take the form extension_*<hexidecimal code>*_permissions

11. Click Token Configuration (under Manage) from the side menu

12. Click Add optional claim

13. Select the ID radio button then select the extn.permissions option in the list

14. Click Add button

15. Run setExtPropValues.ps1 using PowerShell to set the permissions extension properties values

    1. Execute this script for each CSV file created for permissions assignment

✅ This completes adding permissions to your users for when they log into Confidencial