Skip to main content

DigiCert ONE Login – Microsoft Entra ID (Azure Active Directory)

This guide provides all the steps needed to integrate Microsoft Entra ID (formally Azure Active Directory) with your existing DigiCert services so your users can sign in to DigiCert Trust Assistant using a single sign-on experience through either OIDC or SAML authentication.

Prerequisites

Before you begin, ensure that you have administrator access to Entra ID domain with edit permission to register and configure App registrations. For more details, refer to the official Microsoft Entra documentation.

OIDC configuration steps

Perform the following steps to configure OIDC authentication:

  1. Sign in to DigiCert ONE as an administrator with permissions to configure the account’s SSO settings.

  2. Navigate to Single sign-on with OIDC and select Edit.

  3. Select Enable OIDC authentication.

    Note

    Make sure the page remains open, since you will need to reference information here later.

  1. Sign in to the Entra ID portal and go to Microsoft Entra ID.

  2. Go to App registrations > New registration.

  3. On the Register an application page, enter following details:

    • Name: Name of the new application.

    • Supported account types: Select Accounts in this organizational directory only (<Your account name> only - Single tenant) option.

    • Redirect URI (Optional): For Select a platform, select Web, and copy paste the Redirect/ callback URL from DigiCert ONE Login OIDC settings page into the input field.

  4. Select Register.

  1. After the app is registered in Entra ID, copy the Application (client) ID shown in the Overview page and save it for later use.

  2. Select Endpoints and the Endpoints panel should open. Copy the following URLs from the panel and save it for later use:

    • OAuth 2.0 authorization endpoint (v2)

    • OAuth 2.0 token endpoint (v2)

    • OpenID Connect metadata document

  3. Open the OpenID Connect metadata document URL in another browser tab. It will show the metadata in json format. Then, copy and save the jwks_uri and issuer from the json for later use.

  4. Select the Add a certificate or secret link on the main page (or select Manage > Certificates &  secret from the menu).

  5. Select New client secret and, on the Add a client secret panel, enter the following details:

    • Description: A brief description of the client secret.

    • Expires: Expiry date of the client secret.

  6. Select Add. The client secret is generated. Copy the Value and save it for later use.

  7. Go back to the DigiCert ONE OIDC configuration page. Enter the previously saved values:

    • Authorization endpoint: Enter the saved OAuth 2.0 authorization endpoint (v2) URL.

    • Token endpoint: Enter the saved OAuth 2.0 token endpoint (v2) URL.

    • JWKS endpoint: Enter the saved jwks_uri value that you copied from the json displayed when you opened the OpenID Connect metadata document URL.

    • Client secret: Enter the Value from generated client secret.

    • Client ID: Enter the Application (client) ID.

    • ID token audience: Enter the Application (client) ID.

    • ID token issuer: Enter the saved issuer value that you copied from the json displayed when you opened the OpenID Connect metadata document URL.

  8. Select Update OIDC.

Try logging in to DigiCert Trust Assistant using your Entra ID account. Refer to Test user creation and certificate issuance for more details.

Add claims to ID Token

This section explains how to configure Microsoft Entra ID to relay user attributes to DigiCert ONE through an OIDC ID Token. Refer to IdP attribute mapping for general information about this topic. The user groups attribute will be used as a sample.

Perform the following steps to add this claim:

  1. In Microsoft Entra ID, go to Manage > App registrations, select All applications to show all applications, and select the application created in the previous step.

  2. Go to Manage > Token configuration.

  3. Select Add groups claim.

  4. In the Edit groups claim pane, select the Security groups checkbox, and then select Add. The claim of the group is added to the ID token when the user signs in through Entra ID.

The groups claim will be added in the ID Token when it is relayed during the login:

"payload": {
...
      "groups": [
        "c4f28736-bd27-4501-a8a1-f4c9a4516017"
      ],
...
    },

Note

To add other attributes, select Add optional claim in step 3 and select ID as Token type. Select the desired claim to be added to the ID Token.

SAML configuration steps

Perform the following steps to configure SAML authentication:

  1. Sign in to DigiCert ONE as an administrator with permissions to configure the account’s SSO settings.

  2. Navigate to Single sign-on with SAML and select Edit.

  3. Select Enable SAML authentication.

  4. Select Download DigiCert metadata.

    Note

    Make sure the page remains open, since you will need to reference information here later.

  1. Sign in to the Entra ID portal and go to Microsoft Entra ID.

  2. Go to Manage > Enterprise applications.

  3. Select New application.

  4. Select Create your own application.

  5. On the Create your own application panel, enter the following details:

    • What’s the name of your app?:  Name of your application.

    • What are you looking to do with your application: Select the Integrate any other application you don’t find in the gallery (Non-gallery) option.

  6. Select Create.

  1. Go to Manage > Single sign-on.

  2. In the Select a single sign-on method section, select SAML.

  3. Select Upload metadata file.

  4. Select the Upload icon to upload the metadata file downloaded from DigiCert ONE SAML configuration and select Add.

  5. In the Basic SAML Configuration pane, select Save.

  6. Scroll down to the SAML Certificates section and select Download next to the Federation Metadata XML.

  7. Go back to the DigiCert ONE SAML configuration page and select Upload IDP metadata.

  8. Select the Federation Metadata XML file that you have downloaded from the Entra ID portal and select Save.

This section explains per-user assignment, but you may be able to assign users based on groups depending on the Entra ID plan level.

  1. On the Entra ID  page, go to Manage > Users and groups.

  2. Select Add user/group.

  3. On the Add Assignment page, in the Users section, select None Selected.

  4. In the All tab, select the checkboxes for the users you want to enable the SAML login to DigiCert ONE.

  5. Click the Select  button to close the pane.

  6. Select Assign.

  1. In Microsoft Entra ID, go to Manage > Single sign-on and scroll down to the Token signing certificate section.

  2. Select Edit.

  3. In the SAML Signing Certificate pane, select Sign SAML response and assertion option from the Signing Option dropdown menu.

  4. Select Save.

Note

If you have enabled OIDC also for the DigiCert ONE account, make sure to disable the settings before performing the test.

Try logging in to DigiCert Trust Assistant using your Entra ID account. Refer to Test user creation and certificate issuance for more details.

Add SAML attributes to SAML assertion

This section explains how to configure Microsoft Entra ID to relay user attributes to DigiCert ONE through SAML Assertion. Refer to IdP attribute mapping for general information about this topic. The user groups attribute will be used as a sample.

  1. Go to Manage > Enterprise applications, and select the application created in the previous step.

  2. Go to Manage > Single sign-on.

  3. Scroll down to Attributes & Claims section and click Edit.

  4. Click Add a group claim.

  5. In the Group Claims pane, select Security groups option (or any other group selection depending on your target group scope).

  6. Click Save.

The groups attribute will be added under the AttributeStatement section in the SAML Assertion when it is relayed during login:

   <AttributeStatement>
...
      <Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups">
        <AttributeValue>a00dca3f-393d-4732-9e1a-73f1f2bb1f71</AttributeValue>
        <AttributeValue>c4f28736-bd27-4501-a8a1-f4c9a4516017</AttributeValue>
      </Attribute>
...
    </AttributeStatement>

Note

To add other attributes, select Add a group claim in step 4, and in the new page, enter Name, Source attribute from the desired attribute, and select Save.