Connecting your identity provider to the Confidencial Key Server
PreviousPushing a container image to your AWS container registryNextDeploying the Confidencial Desktop App to your enterprise users
Last updated
Last updated
Log in to the
Click Microsoft Entra ID
Click App registrations from the side menu
Click New Registration from the top toolbar
Ensure the following settings are entered:
Name: Confidencial-OPKSS
Supported account types: Select either “Accounts in this organizational directory only,” “Accounts in any organizational directory,” or Accounts in any organization directory and personal Microsoft accounts,” depending on who you want to be able to join your Confidencial organization
ℹ️ Most organizations will want to select “Accounts in this organizational directory only,” as users outside your organization can log in to Confidencial via their own or via an .
Redirect URI: Choose “single-page application (SPA)” in the Select a platform drop down menu and enter https://my.confidencial.io/auth-management in the input box
Click Register
Click Manifest (under Manage), then
Change the value of acceptMappedClaims (Line 3) from null to true
Click Save
Return to the main Entra page and click Enterprise applications from the side menu
Click Confidencial-OPKSS in the list of applications
Click Single sign-on (under Manage)
Click the Edit button for Attributes and Claims
Click Add new claim
Input a Name of https://confidencial.io/email, Source will be Attribute and Source attribute will be user.mail.
Click Save
Click Add new claim
Input a Name of org_id, Source will be Transformation, and data will be entered like the following values:
Transformation: RegexReplace()
Parameter 1: Attribute
Attribute name: user.city
Regex pattern: ^.*$
Replacement pattern: This value will be provided by your Confidencial support representative
Click Add to add the transformation
Click Save
Return to the main page for the enterprise application Confidencial-OPKSS
Click Properties (under Manage) from the side menu
If you want to specify the users that can log in to Confidencial, set Assignment required to “Yes,” otherwise, all users* will be able to log in to Confidencial
ℹ️ All users with a supported account type specified in Step 5.b above
ℹ️ This completes creation of the Entra ID application and generates a *Client ID* that must be securely transmitted to Confidencial during account set up (along with the *Entra Domain*). Optionally, you may continue to the next section to configure automatic user and group provisioning via SCIM.
Click Enterprise applications from the Entra ID main menu
Click New application
Click Create your own application
For the name of the application, enter Confidencial-OPKSS-SCIM
Select Integrate any…(Non-gallery) from the list of options and click Create
Select Users and groups (under Manage) from the side menu
Associate users and groups to this new application. These are the users and groups that will be automatically synchronized with Confidencial.
Click Provisioning (under Manage) from the side menu. You may have to select Provisioning (under Manage) a second time to display the Provisioning Mode setting.
Set Provisioning Mode to Automatic
Under Admin Credentials, enter the following settings:
Tenant URL: https://opkss.confidencial.io/{orgId}/scim/v2/?aadOptscim062020, where {orgID} is your organization’s ID, which is provided by your Confidencial support representative
ℹ️ The Entra ID implementation requires the `?aadOptscim062020` parameter to achieve full SCIM compliance.
Test your connection settings — If there are any issues here please reach out to a Confidencial support representative for further assistance.
Click Save
Click Overview
Click Start provisioning
ℹ️ By default, the provisioning interval is set to 40 minutes; this, as well as the ability to send an email notification when a failure occurs, can be adjusted by clicking the Settings dropdown menu.
Token: This is the SCIM token created by signing into application and generating a token under the organization settings page as an admin.