Guides
Home

Entra IDP Integration





IDP Integration

IDP Integration setup UI is available on the account page (#/profile) for all enterprise plan users.

Setting up the IDP integration has 2 parts:

  • Configuration of a new SCIM integration that synchronizes users and groups from your Entra to Ubiq
  • Configuration of a new Entra application that allows Ubiq to verify and work with your Entra tokens
⚠️

REQUIREMENT

You MUST have the requisite Microsoft license which allows for group provisioning via SCIM. Please confirm the specific license directly with Microsoft.

Auto-provisioning

Identities are provisioned that correspond to each SCIM-sync'd user account and permissions for those Identities are associated to Datasets within Access Groups that have a matching SCIM-sync'd group.

WhenProvisioning Logic
IDP user is createdCreates a new Identity for the IDP user
IDP user field changeUpdates values on corresponding Identity
IDP user is deletedIdentity is deleted, and removed from any AccessGroups it belonged to.
IDP group createdLooks for AccessGroup w/ the same name and links the two together. Once linked, any IDP user added to the IDP group will
result in their Identity being added to the corresponding AccessGroup.
IDP group members are changedIf the IDP group was linked to an AccessGroup, the corresponding Identities have their
memberships to the AccessGroup changed to match.
IDP group deletedFor all IDP users in the IDP group, finds their corresponding Identities and removes them from the corresponding AccessGroup.
Access Group creation (in Ubiq UI)Find any IDP group w/ the same name and auto-provision membership to the AccessGroup to its IDP users' Identities.

Note: The editing of auto-provisioned Identities will be limited in the UI

Ubiq IDP Integration Setup

When enabling IDP Integration the following settings will need to be populated from values in Microsoft Entra ID


⚠️

IMPORTANT

For SCIM provisioning, start from Enterprise Applications, not App registrations.

App registrations are used later for token/JWT configuration.


Azure AD / Entra Integration

Create Enterprise Application

  1. Microsoft Entra ID Dashboard → “+ Add” → Enterprise Application
  2. Click “+ Create Your Own Application”
  3. Enter desired name of the Application
  4. Select “Integrate any other application you don’t find in the gallery (Non-gallery)
  5. Click Create

Users / Groups

  1. Users & Groups → “+ Add user/group”
  2. Select the users or groups that should be synchronized into Ubiq for identity-based dataset authorization.
  3. Click Assign

Provisioning

  1. Provisioning → Provisioning
  2. Change Provisioning Mode to Automatic
  3. Set Admin Credentials Tenant URL = Ubiq SCIM URL from Ubiq IDP Integration screen
  4. Set Admin Credentials → Secret Token = Ubiq SCIM Secret Token from Ubiq IDP Integration screen
  5. Click Test Connection
  6. Click Save

Before testing JWT authorization from an application

Before testing JWT-based protect/unprotect calls from an application, confirm the following:

  • Entra is configured as the IDP in the Ubiq dashboard.
  • SCIM provisioning from Entra to Ubiq is enabled and has successfully run.
  • The test users exist as Identities in Ubiq.
  • The relevant Entra groups exist and are assigned to the Enterprise Application.
  • Matching Ubiq Access Groups exist with the exact same names as the Entra groups.
  • The appropriate datasets are assigned to the Ubiq Access Groups.
  • The application can obtain a valid Entra JWT for the test user.

If users or groups have not been provisioned into Ubiq, Ubiq may be able to validate the JWT but will not have the corresponding identity or access group membership needed to authorize dataset access.


Configure Application

  1. Microsoft Entra ID Dashboard → App registrations → All Applications → Your Application

Enable Access Tokens

  1. Authentication → Check “Access tokens (used for implicit flows)” → Save

Client Secret

  1. Certificates & secrets → Client Secrets → “+ New client secret”
  2. Enter description of client secret (e.g. Ubiq Secret) and desired expiration
  3. Click Add
  4. Copy new secret value and store somewhere safe, will be used later by client library

Token Claims

  1. Token configuration → “Add groups claim”
  2. Select desired group types, likely the “Groups assigned to the application” option
  3. Click Add

API Scopes

  1. Expose an API → “Add” Application ID URI
  2. Click Save
  3. Click “+ Add a scope”
    1. Scope name => Custom.Read
    2. Who can consent? => Admins Only
    3. Enter desired display names/descriptions
    4. Click Add scope

API Permissions

  1. API permissions → “+ Add a permission” → “APIs my organization uses”
    1. Select your application name
    2. Select Custom.Read permission
    3. Click “Add permissions”
  2. “+ Add a permission” → Microsoft Graph
    1. Click delegated permissions
    2. Select offline_access, openid, and profile permissions
    3. Click “Add permissions”
  3. Click “Grant admin consent for YourAzureADTenantName”
    1. Click Yes to confirm

OpenID Connect Discovery URL

Microsoft Entra ID Dashboard → App registrations → All Applications → Your Application → Endpoints → OpenID Connect metadata document

IDP Token Issuer

Value is https://sts.windows.net/TENANT_ID/ and your TENANT_ID can be found at Microsoft Entra ID Dashboard → App registrations → All Applications → Your Application → Directory (tenant) ID

IDP Token Audience

Microsoft Entra ID Dashboard → App registrations → All Applications → Your Application → Application ID URI


© 2026 Ubiq Security, Inc. All rights reserved.

© 2026 Ubiq Security, Inc. All rights reserved.