• Home
• Login with External IDP
• Microsoft Entra ID Single Sign-On

RADIUS MFA With Entra ID as IDP Using OAuth Password Grant

---

Microsoft Entra is Microsoft’s cloud-based Identity and Access Management (IAM) service, which helps your employees sign in and access resources. miniOrange provides a solution where existing identities in Microsoft Entra Services can be leveraged for logging into different VPNs that support Radius (OpenVPN, Fortinet, Palo Alto, Pulse Secure etc) using their Microsoft Entra Credentials. Microsoft Entra supports standard authentication and authorization protocols such as LDAPS, SAML 2.0 and OAUTH 2.0.

To interact with your Microsoft Entra Domain Services managed domain, the Lightweight Directory Access Protocol (LDAP) is mostly used. Follow this documentation if you do not have the Entra DS subscription.

Click here if you already have or are willing to purchase the Entra DS subscription, which supports LDAPs.

Follow the Step-by-Step Guide given below for Microsoft Entra ID Single Sign-On (SSO)

1. Configure miniOrange as SP in Microsoft Entra ID

• Log in to Microsoft Entra ID Portal.
• Select Microsoft Entra ID.



• Click on App registrations >> New registration.



• Enter any suitable Name of your choice. Under Supported account types, select Accounts in this organizational directory only (Single tenant). Click on Register.



• Go to App registrations and search for the application that you added above.



• Click on the application.
• Microsoft Entra ID assigns a unique Application ID to your application. The Application ID is your Client ID and the Directory ID is your Tenant ID, keep these values handy as you will need them to configure the service provider.



• Go to Certificates & Secrets from the left navigation panel and click on New Client Secret. Enter Description and expiration time and click on ADD option.





• Copy the secret key "value" and keep the value handy it will be required later to configure Client Secret under the miniOrange Service Provider.



• Go to API permission and check if User.Read Permission is present. If not, then add a permission with User.Read. After this, click on Grant admin consent for <domain>.



• Go to App registrations and click on Endpoints.



• Copy OAuth 2.0 authorization endpoint and OAuth 2.0 token endpoint, and keep the values handy as they will be required later to configure the miniOrange Service Provider.

2. Configure Microsoft Entra ID as IDP in miniorange

• Go to miniOrange Admin Console.
• From the left navigation bar select Identity Providers >> click Add Identity Provider. Select OAuth 2.0.





• Enter the following values.

  IdP Name	Select Custom Provider from dropown menu
  IdP Display Name	Choose appropriate Name
  OAuth Authorize Endpoint	OAuth 2.0 authorization endpoint (From step 1)
  OAuth Access Token Endpoint	OAuth 2.0 token endpoint (From step 1)
  Client ID	From step 1
  Client secret	From step 1
  Grant Type	Password Grant
  Scope	openid
  Send Scope in Token Request	Enabled




• Save the configuration.

3. Perform Test Connection for IDP in miniOrange

• Search for the added Identity Provider and click on Select >> Test Connection.



• Enter the credentials of any user in your Entra ID having access to the Entra ID application that you added. Click on Sign In.





• The test should be successful.

Additional Resources

• SSO login using Azure B2C as IDP
• SSO login using ADFS as IDP
• Know more about OAuth SSO
  
• Read more about miniOrange Identity Brokering Solution