Using Fortanix Data Security Manager with Microsoft Entra ID for OAuth 2.0 and OpenID Connect Authentication

1.0 Introduction

This article describes the steps to integrate Fortanix-Data-Security-Manager (DSM) with Microsoft Entra ID using OAuth 2.0 and OpenID Connect (OIDC) for Single Sign-On (SSO)-based authentication.

It also covers the following details:

• Creating a new Microsoft Entra ID application configured for OAuth 2.0 and OIDC.

• Generating a client secret.

• Configuring OAuth-based SSO in Fortanix DSM.

• Testing the authentication flow.

2.0 Prerequisites

Ensure you have the following:

• An active Azure subscription with administrator (admin) permissions in Microsoft Entra ID.

• Admin access to Fortanix DSM for configuring OAuth-based SSO.

3.0 Create a Microsoft Entra ID Application

Perform the following steps to create and configure a new Microsoft Entra ID application for OAuth:

1. Log in to the Azure Portal.

2. Navigate to Microsoft Entra ID from the Azure portal Home page under Azure services, or by selecting Microsoft Entra ID from the left navigation panel.

3. On the Microsoft Entra ID page, under Manage in the left navigation panel, select App registrations.

4. Click New registration.

5. On the Register an application page, configure the following fields:

   • Name: Enter a user-facing display name for the application. For example, fortanix_oauth.

   • Supported account types: Select Accounts in this organizational directory only (<your organization name> only - Single tenant).

   • Under Redirect URI:

     • Platform: Select Web

     • Redirect URI: Enter https://<Fortanix_DSM_url>/oauth.

       Example: https://amer.smartkey.io/oauth

6. Click Register to create the application.

7. The application's Overview page is displayed. Copy the Application (client) ID value. This will be used as Client ID when configuring Fortanix DSM.

8. On the Overview page, click Endpoints.

9. From the Endpoints panel, copy the following values for using them when configuring Fortanix DSM:

   • OAuth 2.0 authorization endpoint (v2)

   • OAuth 2.0 token endpoint (v2)

4.0 Create a Client Secret

A client secret is a string value that your application uses to authenticate itself when requesting tokens from Microsoft Entra ID.

Perform the following steps to add a client secret for your Microsoft Entra ID application:

1. In App registrations, select your application created in Section 3.0: Create a Microsoft Entra ID Application.

2. Select Certificates & secrets → Client secrets → New client secret.

3. On the Add a client secret panel,

   • Description: Enter a description for the client secret.

   • Expires: Select an expiration period for the secret or specify a custom lifetime.

   NOTE

   • The client secret lifetime is limited to a maximum of 24 months (two years). A custom lifetime longer than 24 months cannot be specified.

   • Microsoft recommends setting an expiration period of 180 days (6 months).

4. Click Add to create the client secret.

NOTE

Ensure that you copy the client secret value after creation. It is displayed only once and will be required when configuring Fortanix DSM.

5.0 Configure OAuth SSO in Fortanix DSM

Perform the following steps to configure Microsoft Entra ID OAuth in Fortanix DSM:

1. Log in to Fortanix DSM.

2. In the Fortanix DSM user interface (UI), navigate to Settings → AUTHENTICATION tab, and select SINGLE SIGN-ON as the authentication method.

3. Click ADD OAUTH INTEGRATION to add a new OAuth integration.

4. On the Add OAuth integration page, configure the following values:

   • OAuth Provider: Select Custom.

   • Provider Name: Enter a name for the provider. For example, Customer_SSO.

   • Authorization Endpoint: Enter the OAuth 2.0 authorization endpoint (v2) value obtained in Section 3.0: Create a Microsoft Entra ID Application.

   • Token Endpoint: Enter the OAuth 2.0 token endpoint (v2) value obtained in Section 3.0: Create a Microsoft Entra ID Application.

   • Authorization Method: Select client_secret_post.

   • Client ID: Enter the Application (client) ID obtained in Section 3.0: Create a Microsoft Entra ID Application.

   • Client Secret: Enter the client secret value obtained in Section 4.0: Create a Client Secret.

5. Click ADD INTEGRATION to save the OAuth configuration.

6.0 Test the Integration

Perform the following steps to verify the OAuth SSO integration:

1. Log out of Fortanix DSM to sign in using SSO.  

2. On the Fortanix DSM Login page, click the LOG IN WITH <Name of your SSO> (for example, CUSTOMER_SSO) to authenticate using the newly configured SSO integration.

3. The Microsoft Entra ID sign-in page appears.

   3. Enter your Microsoft credentials.

   4. Review requested permissions

   5. Click Accept (if prompted).

4. After successful authentication, you are automatically redirected to Fortanix DSM and signed in to your DSM account.