IDP Integration

IDP Integration setup UI is available on the account page (#/profile) for all enterprise plan users.

Setting up the IDP integration has 2 parts:

• Configuration of a new SCIM integration that synchronizes users and groups from your Entra to Ubiq
• Configuration of a new Entra application that allows Ubiq to verify and work with your Entra tokens

Auto-provisioning

API keys are provisioned that correspond to each SCIM-sync'd user account and permissions for those API keys are associated to Datasets within Dataset Groups that have a matching SCIM-sync'd group.

Note: The editing of auto-provisioned API Keys will be disabled in the UI

Ubiq IDP Integration Setup

When enabling IDP Integration the following settings will need to be populated from values in Microsoft Entra ID

Azure AD / Entra Integration

Create Enterprise Application

1. Microsoft Entra ID Dashboard → “+ Add” → Enterprise Application
2. Click “+ Create Your Own Application”
3. Enter desired name of the Application
4. Select “Integrate any other application you don’t find in the gallery (Non-gallery)
5. Click Create

Users / Groups

1. Users & Groups → “+ Add user/group”
2. Select users or groups that should be allowed to access Ubiq
3. Click Assign

$

Provisioning

1. Provisioning → Provisioning
2. Change Provisioning Mode to Automatic
3. Set Admin Credentials Tenant URL = Ubiq SCIM URL from Ubiq IDP Integration screen
4. Set Admin Credentials → Secret Token = Ubiq SCIM Secret Token from Ubiq IDP Integration screen
5. Click Test Connection
6. Click Save

Configure Application

1. Microsoft Entra ID Dashboard → App registrations → All Applications → Your Application

Enable Access Tokens

1. Authentication → Check “Access tokens (used for implicit flows)” → Save

Client Secret

1. Certificates & secrets → Client Secrets → “+ New client secret”
2. Enter description of client secret (e.g. Ubiq Secret) and desired expiration
3. Click Add
4. Copy new secret value and store somewhere safe, will be used later by client library

Token Claims

1. Token configuration → “Add groups claim”
2. Select desired group types, likely the “Groups assigned to the application” option
3. Click Add

API Scopes

1. Expose an API → “Add” Application ID URI
2. Click Save
3. Click “+ Add a scope”
   1. Scope name => Custom.Read
   2. Who can consent? => Admins Only
   3. Enter desired display names/descriptions
   4. Click Add scope

API Permissions

1. API permissions → “+ Add a permission” → “APIs my organization uses”
   1. Select your application name
   2. Select Custom.Read permission
   3. Click “Add permissions”
2. “+ Add a permission” → Microsoft Graph
   1. Click delegated permissions
   2. Select offline_access, openid, and profile permissions
   3. Click “Add permissions”
3. Click “Grant admin consent for YourAzureADTenantName”
   1. Click Yes to confirm

OpenID Connect Discovery URL

Microsoft Entra ID Dashboard → App registrations → All Applications → Your Application → Endpoints → OpenID Connect metadata document

IDP Token Issuer

Value is https://sts.windows.net/TENANT_ID/ and your TENANT_ID can be found at Microsoft Entra ID Dashboard → App registrations → All Applications → Your Application → Directory (tenant) ID

IDP Token Audience

Microsoft Entra ID Dashboard → App registrations → All Applications → Your Application → Application ID URI