Theory of Operation
When using Entra ID SSO with Instant Connect, end users will be prompted to enter their enterprise-managed credentials in lieu of a username and password that was created specifically for Instant Connect. The SSO credential typically consists of a username and password, but may also include some form of two-factor authentication, a smart card, or other credential instead.
Entra ID Application Registration
Before a user can use Entra ID to log into Instant Connect, Entra ID must be made aware of ICE as a resource that users can be authorized to access. This resource is called an application in Entra ID and is created by an Entra ID administrator using the Azure dashboard to register an application (step-by-step instructions to follow).
Registering an application in Entra ID produces a set of identifiers and URLs that uniquely identify the application in Entra ID and provide some technical details about how Instant Connect should authenticate login requests. ICE Mobile or ICE Desktop clients authenticatinge via Entra ID must know these identifiers and URLs, and they obtain this information through a specific metadata endpoint exposed by the ICE Server.
Metadata Service Endpoint
To convey this Entra ID metadata to client applications, the ICE Server exposes an unsecured metadata REST API. This metadata is visible at the url /sso-meta (via the HTTP GET verb) and produces a JSON document similar to the following example. Note that [KeyValues] will be replaced with your content.
{
"provider": "azure_ad",
"audience": "api://[KeyValues]",
"authorizationUrl": "https://login.microsoftonline.com/[KeyValues]/oauth2/v2.0/authorize",
"tokenUrl": "https://login.microsoftonline.com/[KeyValues]/oauth2/v2.0/token",
"redirectUrl": "https://login.microsoftonline.com/common/oauth2/nativeclient",
"tenantId": "[KeyValues]",
"clientId": "[KeyValues]",
"openIdConfUrl": "https://login.microsoftonline.com/[KeyValues]/v2.0/.well-known/openid-configuration",
"scope": "api://[KeyValues]/UserProfile.ReadWrite",
"importUserGroups": true
}
In addition to telling ICE Mobile and ICE Desktop clients that they should authenticate with Entra ID (provider), this document also provides required resource metadata (like the tenantId and clientId) that each ICE client application will need to produce the SSO login user interface.
Client log in Sequence
When an end user attempts to log in to an ICE client, the client will attempt to read the metadata document from the server entered by the user. If found, the client will present the user with the Sign in with Microsoft Entra ID button.
When the user chooses the Entra ID login option, Instant Connect displays a corporate-branded Entra ID login window provided by Microsoft (the programming and UI design of the login page comes from the Entra ID service, not Instant Connect).
If the user enters a valid credential, Microsoft returns a JWT (JSON Web Token; IETF RFC-7519). The JWT supplies a cryptographically secure set of claims (information about the end user and the requested resource) that the user is trying to access. ICE Mobile and Desktop clients pass this JWT to ICE Server as the user’s credential. ICE Server validates the claims and signature of the JWT and accepts or denies the login attempt accordingly.
Server Validation Sequence
The ICE Server accepts the JWT and grants access to Instant Connect if all of the following conditions are met:
The JWT was cryptographically signed by Microsoft Entra ID. The token has not expired (i.e., user is not trying to reuse an old token). The token was generated to authorize access to the ICE Server resource and not some other application/resource unrelated to ICE. If the JTW is valid then its claims (like the user’s name, email address and directory groups) are used to create or update the user’s Instant Connect profile.