OpenID Connect (OIDC) is a modern authentication protocol that offers a more streamlined and secure Single Sign On (SSO) experience. Azure AD's integration with Mapiq using OIDC ensures seamless access for users. This article provides a comprehensive guide on setting up this integration.
You'll learn about the requirements, supported features, configuration steps, and claims associated with Azure AD's OIDC integration with Mapiq.
Supported Features
The Azure AD Mapiq SSO integration for SAML supports:
SP-Initiated SSO
JIT (Just-In-Time Provisioning)
Multi-tenant application
Configuration Steps
Note: Before you can start configuring SSO through Azure AD, make sure you have the necessary permissions in your Azure AD tenant to install and configure (enterprise-grade) applications.
Contact Mapiq support or your designated Mapiq contact person, and request SSO activation for Azure AD with OIDC. Provide your Azure AD tenant id and the email domains used by your users.
After receiving confirmation from Mapiq, sign in to the Microsoft Entra Admin Center with Cloud Application Administrator permissions or higher.
Navigate to Identity > Applications > Enterprise applications. Select "New application" and search for "Mapiq SSO".
Choose the "Mapiq SSO (OpenID Connect)" application and click "Sign up for Mapiq SSO (OpenID Connect)".
You'll be redirected to the Mapiq application. Complete the sign-in process and consent to the Mapiq application to finalize the SSO setup.
Your users can now access Mapiq using Azure AD SSO. You can also begin assigning users to the application. 🎉
Note: Mapiq doesn't offer a backup sign-in URL for Azure AD SAML integration misconfigurations. If you're locked out due to a configuration error, please contact Mapiq Support.
Claims Configuration
Required Claims
Mapiq requires the following standard OIDC claims: given_name
, family_name
, name
, and email
. These claims are configured by default in Azure AD.
Optional Claims
There are also optional claims for added functionality. You are free to map them to user properties as applicable in your organisation.
These optional claims are:
Claim | Description |
job_title | The user’s job title (e.g. ‘senior manager’, or ‘trainee’). |
department | The department the user is a part of (e.g. ‘finance’ or ‘IT support’). |
business_unit | The business unit the user is part of (e.g. ‘company logistics’). |
office | The office where the user is based (e.g. ‘Amsterdam’ or ‘London’). |
country | The country in which the user is based (e.g. ‘NL’ or ‘The Netherlands’). |
external_id | An identifier, unique to the user, that can be leveraged in other platforms (e.g. an employee number). |
Azure AD allows for the customisation of emitted claims in enterprise applications. For details on configuring additional claims for the Mapiq SSO application, refer to Azure AD's documentation.
The Mapiq SSO application, being a multi-tenant application, requires a custom signing key when adding extra claims. For guidance on setting up custom signing keys in Azure AD, consult Azure AD's documentation.
Note: In case you or your IT department is unfamiliar or uncomfortable with setting up the required custom signing keys in Azure AD, but would like to make sure of the optional claims and associated Mapiq features, please take a look at Configuring Azure AD - SAML 2.0 instead.
SP-Initiated SSO
Visit https://app.mapiq.com.
Click "Sign in".
Enter your company email address.
Authenticate using your Azure AD credentials.
💬 Need More Help?
If you’d like extra assistance, reach out via the Messenger (question mark in the corner) and chat with our support team, or email us at [email protected].
We’re always ready to help! 😉