Integrate OSP with Microsoft Azure Entra using OAuth 2.0

You can integrate NetIQ Open Security Platform (OSP) with Microsoft Azure Entra ID using OAuth 2.0 / OpenID Connect (OIDC). This integration enables users to authenticate to OSP-hosted applications with Microsoft Entra credentials using the OIDC flow. OSP will use OIDC metadata from Azure's discovery endpoint and map claims to OSP principal attributes.

Prerequisites

Before you begin, ensure that you have the following.

Requirement Description
NetIQ OSP version NetIQ OSP 6.x or later (confirm your specific version compatibility).
Azure subscription Azure subscription with admin access to register applications.
OSP server security OSP server reachable over HTTPS (valid certificate recommended).
Network connectivity Network connectivity from OSP to login.microsoftonline.com.
Admin rights Admin rights to edit /opt/netiq/idm/osp/config/authcfg.xml (or equivalent OSP config location).

Back to top

Step 1: Register the OSP app in Microsoft Entra

To register the OSP app in Microsoft Entra:

  1. Open Azure Portal and navigate to Azure Active Directory → Entra ID → App registrations → New registration.

  2. Fill out the registration form with the following details:

    • Name: NetIQ OSP Integration (or your naming standard).

    • Supported account types: Accounts in this organizational directory only (or change if needed).

    • Redirect URI (Web): This is a critical setting. Choose the URI based on your login flow:

      • OSP login page:

        https://<YOUR_OSP_HOST>:<PORT>/osp/a/<TENANT_ID>/auth/app/contractcontinue

        Example: https://localhost:8443/osp/a/dimensions/auth/app/contractcontinue

      • Integrated application (like OpenText Dimensions CM or Pulse):

        https://<osp-host>:<port>/osp/a/<application-name>/auth/oauth2/callback

    • Valid post logout redirect URIs:

      https://<YOUR_OSP_HOST>:<PORT>/osp/a/<TENANT_ID>/auth/app/logout

      Example: https://localhost:8443/osp/a/dimensions/auth/app/logout

  3. Click Register.

Note: If login fails with an "Invalid redirect_uri" error, check the server logs or your browser's URL bar to see the exact URI that OSP sent, then add it to Azure.

Back to top

Step 2: Collect client and tenant IDs and create client secret

To collect IDs and create the client secret:

  1. From the app Overview, record the following information:

    • Application (client) ID

    • Directory (tenant) ID

  2. Navigate to Certificates & secretsClient secretsNew client secret.

  3. Provide the following details:

    • Description: OSP Secret

    • Expiry: Choose appropriate length (for example, 12 months or 24 months).

  4. Copy the secret value immediately (it will not be shown again).

  5. Save the client_id, client_secret, and tenant_id for later use in OSP configuration.

Back to top

Step 3: Configure API permissions

To configure API permissions:

  1. Navigate to API PermissionsAdd a permissionMicrosoft GraphDelegated permissions.

  2. Add the following permissions:

    • openid

    • profile

    • email

    • offline_access

  3. Click Grant admin consent for the tenant (tenant admin required).

Back to top

Step 4: Configure optional claims

OSP often looks for preferred_username, email, given_name, and other claims. If you need additional ID token claims:

To configure optional claims:

  1. Navigate to Token configurationAdd optional claimID token.

  2. Add the following optional claims:

    • email

    • given_name

    • family_name

    • preferred_username (if useful)

Note: The preferred_username claim sometimes includes a domain (user@domain.com). If OSP expects a short username, map principalNameAttr to email or given_name instead, or strip the domain on the OSP side.

Back to top

Step 5: Configure NetIQ OSP (authcfg.xml)

To configure OSP for Microsoft Azure Entra:

  1. Edit your OSP authentication config file:

    /opt/netiq/idm/osp/config/authcfg.xml

  2. Add the OpenID Connect data source configuration. Replace placeholders (<CLIENT_ID>, <CLIENT_SECRET>, <TENANT_ID>) with your values:

    Copy code 
    <OpenIdDataSource
        id="ds-microsoft"
        displayName="Microsoft OIDC Data Source"
        enabled="true"
        issuer="https://login.microsoftonline.com/<TENANT_ID>/v2.0"
        clientId="<CLIENT_ID>"
        clientSecret="<CLIENT_SECRET>"
        clientAuth="client_secret_basic"
        scope="openid profile email"
        maxClockSkew="60"
        jwksUri="https://login.microsoftonline.com/<TENANT_ID>/discovery/v2.0/keys">
        <Property name="client_id" value="clientId"/>
        <Property name="client_secret" value="clientSecret"/>
    </OpenIdDataSource>

  3. Add the authentication source configuration:

    Copy code 
    <OpenIdAuthenticationSource
        id="as-microsoft"
        displayName="Authentication from Microsoft"
        enabled="true">
        <Reference refId="ds-microsoft" type="DataSource"/>
        <principalNameAttr name="given_name"/>
        <AttributeMapping>
            <AttributeMapEntry localName="username" nativeName="given_name"/>
            <AttributeMapEntry localName="mail" nativeName="email"/>
            <AttributeMapEntry localName="givenName" nativeName="given_name"/>
            <AttributeMapEntry localName="surname" nativeName="family_name"/>
        </AttributeMapping>
    </OpenIdAuthenticationSource>

  4. Add the authentication and contract blocks:

    Copy code 
    <Authentication allowDisabledContracts="true">
        <Reference refId="microsoft-contract" type="AuthContractOrGroup" decorator="default"/>
        <OpenIdAuthentication
            id="microsoft-auth"
            displayName="Microsoft Login"
            enabled="true">
            <Reference refId="as-microsoft" type="AuthenticationSource"/>
        </OpenIdAuthentication>
        <AuthContract
            id="microsoft-contract"
            displayName="Microsoft Login"
            uri="dimensions:user:microsoft">
            <Reference refId="microsoft-auth" type="ContractExecutable"/>
        </AuthContract>
    </Authentication>

Note: Ensure issuer points to the v2.0 endpoint (includes preferred_username claim). If OSP does not receive preferred_username, change <principalNameAttr> to email or given_name. For custom claim mappings, consult your OSP version documentation.

Back to top

Step 6: Restart OSP

To restart the OSP service:

  1. Run one of the following commands:

    sudo systemctl restart osp

    Or:

    sudo rcosp restart

  2. Check service logs if restart fails (for example, /var/log/osp/* or system journal).

Back to top

Step 7: Verify integration

To verify the integration:

  1. Open the OSP app UI in your browser:

    https://<osp-host>:8443/osp/a/<app>/ui

  2. Click the login link or button that shows sign-in with Microsoft.

  3. Authenticate using a Microsoft Entra account.

  4. Confirm the user is redirected back to the OSP app with the correct username and attributes.

Back to top

Troubleshooting

Use the following table to troubleshoot common issues.

Symptom Likely cause Resolution
Invalid redirect URI Redirect registered in Azure does not exactly match the request. Ensure callback URI in Azure app registration matches OSP callback exactly (scheme, host, port, path).
Invalid client secret Secret expired or incorrect. Regenerate secret in Azure and update authcfg.xml.
Missing or incorrect username Claim mapping mismatch (preferred_username contains domain). Change <principalNameAttr> to email or name OR normalize username in OSP mapping.
No preferred_username claim Azure not sending this claim by default. Add optional claim in Token Configuration or use email/name.
Token validation errors Clock skew between servers or incorrect discovery URI. Ensure NTP sync and correct discovery_uri with tenant ID.
User not authorized Permissions or consent not granted. Revisit API permissions and grant admin consent.
HTTP error 500 server.xml header size needs adjustment. Place maxHttpHeaderSize="65536" under HTTPS connector with 8443 port.

Back to top

Example endpoints

The following table lists example endpoints for Microsoft Azure Entra OAuth 2.0 integration.

Endpoint URL
Discovery (OIDC metadata) https://login.microsoftonline.com/<tenant-id>/v2.0/.well-known/openid-configuration
Authorization endpoint https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize
Token endpoint https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token
Logout endpoint https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/logout

Back to top

Configure logout (single sign-out)

This is an optional configuration that enables single sign-out functionality.

To configure logout (single sign-out):

  1. In Azure Portal, open your App Registration and navigate to AuthenticationLogout URL (or Front-channel logout URL depending on portal version).

  2. Enter the OSP logout callback URL.

    https://<osp-host>:8443/osp/a/<app>/auth/logout

  3. Save the configuration and test logout to ensure both OSP and Azure session cookies are cleared as desired.

Note: Different apps and browsers may behave differently with sign-out. Validate single sign-out in multiple browsers.

Back to top

See also: