Configure OIDC SSO between DigiCert and Microsoft Entra ID
Use this procedure to configure single sign-on (SSO) between your DigiCert® account and Microsoft Entra ID using OpenID Connect (OIDC).
To set up this sign in method, you need to switch between two tabs, DigiCert and Microsoft Entra, to exchange URLs and other information.
Note
For more information, refer to Entra Help Center.
Before you begin
You need elevated privileges in DigiCert account and Microsoft Entra to configure SSO:
Account admin user group required in DigiCert account.
Application Administrator or equivalent role required in Entra.
Access DigiCert's OIDC configuration page:
In the DigiCert® account menu, select the Accounts icon > sign in methods.
Select Single sign-on with OIDC.
Keep this tab open.
In another tab, create an OIDC app for your DigiCert account:
Sign in to your Microsoft Entra admin center.
Go to Devices > App registrations.
Select New registration.
Enter DigiCert account in the Name field.
In the Supported account types, keep the default Accounts in this organizational directory only.
In the Redirect URI section, select Web as the platform.
Leave the Redirect URI field blank for now.
Select Register.
Keep this tab open.
Provide the following Entra information to DigiCert:
Copy the Application (client) ID field and enter it in the following fields in DigiCert account:
Client ID
ID token audience
In the Client credentials field, select Add a certificate or secret.
On the Client secrets tab, select + New client secret.
In the Description field, enter a name.
In the Expires field, select a timeframe.
Select Add.
Copy the Value of the client secret you created and enter it into the Client secret field in DigiCert account.
In the application menu, select Overview > Endpoints.
Copy the OpenID Connect metadata document URL and enter it into the Provider URL in DigiCert account.
Example:
https://login.microsoftonline.com/a0b1c3-.../v2.0/.well-known/openid-configuration
In the left pane, select Overview.
Keep this tab open.
Provide DigiCert information to Entra:
In the Redirect URIs field, select Add a Redirect URI.
In the Platform configurations section, select + Add a platform.
Select Web.
In the Configure Web page:
Enter the Redirect URI from DigiCert account into the Redirect URIs field.
Enter the Logout URL from DigiCert account into the Front-channel logout URL field.
Select Configure.
On the Platform configurations page, in the Web Redirect URIs section, select Add URI.
Enter the Login URL from DigiCert account.
Select Save.
In Entra's application menu, select Overview.
In the Application ID URI field, select Add an Application ID URI.
In the Application ID URI field, select Add.
Select Save.
In the Enable/Disable SSO with SAML section, switch to enable SSO.
Select Save configuration.
Ensure that all users in your DigiCert account are assigned to the SAML application in Microsoft Entra admin center:
Go to Manage > Enterprise applications.
Select the DigiCert account application you created.
From the application's overview, select Assign users and groups.
Select +Add user/group.
Attempt to sign in to DigiCert account, using your Entra credentials:
Sign in to DigiCert® account.
Provide your Entra username.
Select Sign in with your company's SSO.
Tip
When 2FA is enabled, DigiCert skips the OTP prompt if you have already provided an OTP to your IdP.
Your SAML app is configured correctly if:
You use 2FA to access your IdP, and you're automatically signed in to your DigiCert account.
You don't use 2FA to access your IdP, you're redirected to your DigiCert account and asked to finish two-factor authentication (2FA).
If you aren't able to sign in with SSO, compare your app settings to these instructions or contact DigiCert Support for assistance.