Connecting your identity provider to Confidencial
Last updated
Last updated
ℹ️ This document shows you how to connect to your identity provider, allowing your enterprise’s users to log in to Confidencial using their existing accounts.
⚠️ Please contact your Confidencial support representative before beginning this process to ensure you have the proper components to proceed
The details of how to connect to your identity provider (IDP) vary depending on the IDP being connected, but in most cases, the process amounts to creating an application within your IDP and then assigning users to that application. See the links below for how to connect to your IDP.
Log in to your Okta instance’s admin portal
Click Applications under the Applications item in the side menu
Click the Create App Integration button
Select OIDC - OpenID Connect and Web Application for Sign-in method and Application type, respectively; click Next
Ensure the following settings are entered:
App integration name: Confidencial
Grant type: Authorization Code (the only option that should be selected)
Sign-in redirect URIs: https://auth.confidencial.io/login/callback
Sign-out redirect URIs: https://my.confidencial.io
⚠️ Redirect URIs will be different than those listed above for sandbox deployments. Your Confidencial technical contact will provide these URIs in these cases.
For Controlled access, select either “Allow everyone in your organization to access” or “Limit access to selected groups,” depending on who you want to be able to log in to Confidencial.
If you selected “Allow everyone…,” leave “Enable immediate access with Federation Broker Mode” selected if you want everyone in your organization to be able to access Confidencial. Deselect “Enable immediate access with Federation Broker Mode” if you want to specify the users and groups that can access Confidencial.
If you selected “Limit access…,” enter the group(s) you’d like to access Confidencial under Selected group(s).
Click Save
ℹ️ This completes creation of the Okta application and generates a Client Secret that must be securely transmitted to Confidencial during account set up (along with the Okta Domain and Client ID).
➡️ Proceed to the next section, *Creating Confidencial roles for Okta users*
Click Groups under the Directory item in the side menu
Click Add Group
In the Name field, enter a name for the role (Okta group). In this example, we create a role called C11-Admins.
In the Description field, enter the Confidencial permissions you would like to grant to members of this role
crud:config-org: Allows an administrator to create, read, and delete admin config settings for an organization
crud:invitations-org: Allows an administrator to create, read, and delete invitations for an organization
crud:signature-keys-org: Allows an administrator to create and update (replace) electronic signature keys from all members in an organization
crud:groups-org: Allows an administrator to create, read, update, and delete groups within an organization
Click Save
With the Okta group created, take note of the Okta group ID; this will be needed in the next section, Create the Okta authorization server for Confidencial
To get the group ID of the group you created, go to the group in Okta and note the last part of the URL
In the example above, the group ID is 00g9372cmsozlGYI25d7
Add the users to the group to which you would like to assign these permissions
🔁 Repeat Steps 1-7 above for each role you would like to define in the Confidencial system. You can create up to 100 roles for Confidencial users, roles can contain any combination of permissions, and users can belong to any combination of roles.
➡️ Proceed to the next section, Creating the Okta authorization server for Confidencial
Click API under the Security item in the side menu
Click Add Authorization Server
For Name, enter Confidencial and for Audience enter api://confidencial.io
Click the Scopes tab, then click Add Scope
Enter the following values:
Name: groups
Display phrase: groups
Description: Allows group membership to be passed in token
Use default values for the other fields, as shown below
Click Access Policies, then click Add New Access Policy
Enter the following values:
Name: Default
Description: Default
Assign to: Add the Okta application you created in the previous section, Creating an application in Okta
Add a rule to govern access to this authorization server, ensuring that “authorization code” is permitted; set access token and refresh token lifetimes as desired
Click the Claims tab, then click Add Claim
Enter the following values:
Name: permissions
Value: Arrays.flatten(getFilteredGroups({"group-id-1", "group-id-2", ... , "group-id-n"}, "Arrays.flatten(group.description)", 100))
Replace "group-id-1", "group-id-2", ... , "group-id-n" in the above statement with the list of group IDs you created in the section above, Creating Confidencial roles for Okta users
Group IDs should be wrapped in double quotes (”) and separated by commas (,), with the entire list of group IDs wrapped in curly braces ({ })
Use default values for the other fields, as shown below
Click Create
➡️ Proceed to the next section, Assigning users to an application in Okta
ℹ️ These steps are not necessary if you left “Enable immediate access with Federation Broker Mode” selected in Step 6 of Creating an application in Okta above.
Click Applications under the Applications item in the side menu
Click Confidencial in the list of applications
Click the Assignments tab
Click Assign to add users and groups that can log in to Confidencial
✅ This completes the setup of Okta for use with Confidencial. You will now work with the Confidencial team to securely transmit application details.
Click Microsoft Entra ID
Click App registrations from the side menu
Click New Registration from the top toolbar
Ensure the following settings are entered:
Name: Confidencial
Supported account types: Select either “Accounts in this organizational directory only,” “Accounts in any organizational directory,” or Accounts in any organization directory and personal Microsoft accounts,” depending on who you want to be able to join your Confidencial organization
Redirect URI: Choose “Web” in the Select a platform drop down menu and enter https://auth.confidencial.io/login/callback in the input box
Click Register
Click App registrations from the side menu
Click Confidencial in the list of applications (you may need to select the All applications tab to view it)
Click Token configuration (under Manage) from the side menu
Click Add optional claim
Select ID, then select email, and then click Add
Check the box to enable email permission, then click Add
Return to the main Entra menu
Click Enterprise applications from the side menu
Click Confidencial in the list of applications
Click Properties (under Manage) from the side menu
If you want to specify the users that can log in to Confidencial, set Assignment required to “Yes,” otherwise, all users* will be able to log in to Confidencial
Click App registrations from the side menu
Click Confidencial in the list of applications (you may need to select the All applications tab to view it)
Click Certificates & secrets (under Manage) from the side menu
Click Add new client secret
Description: Confidencial IDP integration
Expires: 730 days (24 months)
Click Add
⚠️ Make note of Value, as this client secret will need to be securely transmitted to Confidencial and is only viewable during initial creation
ℹ️ This completes creation of the Entra ID application and generates a client secret that must be securely transmitted to Confidencial during account set up (along with the Entra Domain and Client ID).
➡️ Proceed to the next section, Assigning users to an application in Entra ID
ℹ️ These steps are only necessary if you selected “Yes” for Assignment required in Step 10 above.
From the Microsoft Entra ID home screen, click Enterprise applications from the side menu
Click Confidencial in the list of applications
Click Users and groups (under Manage) from the side menu
Click Add user/group to add users and groups that can log in to Confidencial
✅ This completes the setup of Entra ID for use with Confidencial. You will now work with the Confidencial team to securely transmit application details.
Click Users from the side menu
Apply any filters wanted when narrowing down the list of users that will have a set of permissions OR permission in general
ℹ️ Admins may want to exclude the Guest user type here potentially as an example
Click Download users
Input a name for the file and click Start download
Click File is ready! Click here to download once file is complete
Open the CSV file as comma delimited starting at row 1
Add a new column to the end of the table called permissions
Add comma separated permissions as a single string for each user that should have the related permissions in Confidencial - example: crud:members-org, crud:groups-org
ℹ️ Users with their permissions field empty will have no admin permissions when script is run later
Save your changes once complete.
Complete steps 2-7 for as many other csv files you might want to create.
Click App registrations from the side menu
Click Confidencial in the list of applications (you may need to select the All applications tab to view it)
Click API Permissions (under Manage) from the side menu
Click Add a permission
Select Microsoft Graph from the list of options, then click Application permissions
In the Select permissions search box, search for permission Directory.ReadWrite.All
Expand Directory by clicking the “>” symbol
Select the checkbox for Directory.ReadWrite.All and click Add permissions
Click Grant Admin Consent for Confidencial and then Yes to confirm this action
Run createExtProp.ps1 using PowerShell to create the permissions extension property
ℹ️ Contact your Confidencial support representative to obtain the PowerShell scripts
You will need to supply the tenant ID, client ID, app ID, and client secret corresponding to your app registration for Confidencial as command-line arguments to the script
If you do not know your client secret, you will need to create a new one for the app registration; be sure to keep your original secret that was created during the initial set up of the app registration
Copy the extension property ID once created and save for a later step
This will be under name and will take the form extension_*<hexidecimal code>*_permissions
Click Token Configuration (under Manage) from the side menu
Click Add optional claim
Select the ID radio button then select the extn.permissions option in the list
Click Add button
Run setExtPropValues.ps1 using PowerShell to set the permissions extension properties values
Execute this script for each CSV file created for permissions assignment
✅ This completes adding permissions to your users for when they log into Confidencial
ℹ️ These steps allow you to define Confidencial “roles” that allow you to grant various to your users by using Okta groups. The Confidencial permissions granted are determined by the description fields of the Okta groups to which each user belongs.
ℹ️ For a Confidencial user to be able to exercise any of the permissions described below, they must be within the Confidencial system
crud:members-org: Allows an administrator to
crud:recovery-keys-org: Allows an administrator to create, read, and deactivate that are used by an organization
read:events-org: Allows an administrator to see all within an organization
crud:encryption-keys-org: Allows an administrator to create and update (replace) for all members in an organization
crud:groups-scim-tokens-org: Allows an administrator to create, read, update (replace), and delete tokens that are used by the enterprise’s identity provider to make calls to the SCIM endpoints of
Log in to the
ℹ️ Most organizations will want to select “Accounts in this organizational directory only,” as users outside your organization can log in to Confidencial via their own or via an .
All users with a *supported account type* specified in Step 5.b above
