Entra IDP integration

Entra IDP integration

Entra IDP integration


Info
This guide walks you through the steps to configure Azure Active Directory (Azure AD) as an Identity Provider (IdP) in the Kelvin Zero Multi-Pass Authentication Service (MPAS) using OpenID Connect.
Warning
Prerequisites :
- An Azure Active Directory tenant
- A Global Administrator account in Azure
- Access to the Kelvin Zero MPAS administration console
Important: Custom elements in URLs (like realm names) are case sensitive. Make sure to match the exact casing from your environment.

Step 1: Register the Application in Azure AD

  1. Log in to the Azure Portal (https://portal.azure.com) and go to Azure Active Directory > App registrations.

  1. Click on New Registration.
  1. Fill out the following fields:
    1. Name: Choose a clear and identifiable name (e.g., MPAS-AzureSSO).
    2. Supported Account Types: Select “Accounts in this organizational directory only”.
    3. Redirect URI (optional) = Web
  1. Click Register
  2. On the app page, click on Endpoints and copy the OpenID Connect metadata document URL — keep it for later.
  1. In the left menu, click on manage and then on Certificates & secrets.

  1. Click on New client secret:
    1. Add a description (for example: Multi-Pass SSO integration IdP)
    2. Set the expiration (as needed)
    3. Click Add
  1. Copy the client secret value immediately — you will not be able to retrieve it again later.
Warning
Secure your client secret:
- Store it securely.
- Set reminders for renewal (expires in 6–24 months by default).
- Do not expose it in public code or documentation.
  1. In the left menu, go to Overview and copy the Application (client) ID — keep this value for MPAS.



Step 2: Register the Azure IDP on the Multi-pass Authentication Service

  1. Open Multi-Pass Dashboard
  2. Select your tenant and reach the "advanced console" 
  1. In the left-hand menu, click Identity Providers.

  1. Choose OpenID Connect v1.0.

  1. Copy the Redirect URI displayed by MPAS and go back to Azure to register it,
  1. Open your Azure App Registration > Overview > Add a Redirect URI
  1. Click on Add a Redirect URI again, a panel open on the right and select : Web
  1. Paste the Redirect URI from MPAS
Notes
Ensure the URI from MPAS is entered exactly in Azure AD. No wildcards or partial paths.
  1. Click Configure
  2. Back in MPAS:
    1. Display Name: e.g., Azure AD
    2. Discovery Endpoint: Paste the OpenID metadata URL from Azure 
      1. https://login.microsoftonline.com/[...]/.well-known/openid-configuration
    3. Wait for the fields to populate automatically
  3. Paste the:
    1. Client ID (from Azure Overview)
      1. Looks like that : 904bc2ee-3374-4f03-a63b-40efc0d85237
    2. Client Secret, the one you saved earlier
  4. Click Add to save the configuration.

  1. Now we need to add Mappers, click on the tab called "mappers"

  1. You should see at the beginning, only one line about MPAS Onboarding, now click on the blue button "Add Mapper" and complete the different fields. 
  2. azure-group-mapper
FieldValue
Nameazure-group-mapper
Sync Mode OverrideForce
Mapper TypeAttribute Importer
Claimgroups
User Attribute Namewrite on the right field "group"
  1. Azure Username
FieldValue
NameAzure Username
Sync Mode OverrideForce
Mapper TypeAttribute Importer
Claimupn
User Attribute Nameemail
  1.  Azure Sub Importer
FieldValue
NameAzure Sub Importer
Sync Mode OverrideForce
Mapper TypeAttribute Importer
Claimsub
User Attribute Namewrite on the right field "sub"


Step 3: Test the Integration

  1. In MPAS, go to Clients in the left-hand menu.

  1. Find the client named account, then click the Home URL.
  1. You will be redirected to the login screen Multi-Pass Passwordless, click on "sjow more ways to log in
  2. Choose Sign in with Azure.
  1. Log in with your Azure Global Administrator account. by adding your email address and password, then you will see a pop up "verification required", click continue

  1. Review the requested permissions and check “Consent on behalf of your organization”, then click Accept.

  1. Authenticate yourself by using your cards or the digital app
  2. You will be redirected to your MPAS Account Management Page.

  1. Return to the MPAS Admin Console and click on Users in the menu.

  1. You should now see a list of Azure AD users who have successfully authenticated via MPAS.

    • Related Articles

    • Azure EAM - MPAS integration

      This documentation has been tested and approved by Kelvin Zero's team This document will outline the steps required to enable MPAS as an external authentication method in Microsoft Entra ID. To set up Multi-Pass, ensure you meet the following ...

    • OpenID Connect (OIDC) SSO Integration Guide

      This guide provides a general overview and step-by-step instructions for configuring OpenID Connect (OIDC) authentication between Multi-Pass (IdP) and a third-party Service Provider (SP). OIDC is a modern identity layer built on top of OAuth 2.0 that ...

    • SAML SSO Integration Guide

      This guide provides an overview of how to configure SAML Single Sign-On (SSO) between Multi-Pass and a third-party Service Provider (SP). Multi-Pass acts as the Identity Provider (IdP) in this federation model. Multi-Pass is working on SCIM support ...

    • Rocket.chat - SSO configuration

      This documentation has been tested and approved by Kelvin Zero's team This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for Rocket.chat using MPAS. SSO simplifies user authentication by allowing access to multiple ...

    • Syncro - SSO configuration

      This documentation has been tested and approved by Kelvin Zero's team This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for Syncro using MPAS. SSO simplifies user authentication by allowing access to multiple ...