SSO Integration: EntraID/Azure AD with the MB connect line Portal
This article describes the steps required to register an app in Microsoft Entra ID (formerly Azure Active Directory) for OIDC-based Single Sign-On (SSO) integration with the RSP portal. The configuration allows users to sign in to the portal using their Microsoft account.
Official Microsoft Documentation: Quickstart: Register an application – Microsoft Entra
Step-by-step guide
Step 1 - Open the portal
Sign in to the Microsoft Entra Admin Center or the Azure Portal:
-
Microsoft Entra Admin Center: https://entra.microsoft.com/
-
Azure Portal: https://portal.azure.com/
Step 2 - Create app registration
Navigate to Identity > Applications > App registrations and then click "New registration".
Step 3 - Enter basic information
| Field | Value |
|---|---|
| Name | Assign a meaningful name (e.g. "RSP Portal OIDC") |
| Supported account types | Accounts in this organizational directory only (Single tenant) - for a single customer Accounts in any organizational directory (Multi-tenant) - for multiple customers |
| Redirect URI | Type: Web (or Single Page Application, depending on tech stack) Enter URL: https://<DNS-name-of-RSP-portal>/portal/index.php?option=com_sso |
Step 4 - Configure authentication
Navigate to the "Authentication" menu item in the app.
-
Implicit grant and hybrid flows:
-
Check the box for access_token.
-
id_token is enabled by default - only access_token must be set manually.
Step 5 - Create client secret
Navigate to "Certificates & secrets".
-
Click "New client secret".
-
Provide a meaningful description and select the desired expiration period.
-
Important: Copy the displayed secret value immediately - it will not be shown again after leaving the page!
Step 6 - Find OIDC endpoints
Navigate to the app overview page and click the "Endpoints" button. There you will find the OpenID Connect metadata document:
https://login.microsoftonline.com/<tenant-id>/v2.0/.well-known/openid-configuration
Store this in the application so that all required keys and URLs can be loaded automatically.
Step 7 - Provide data to technical contact
The following values are generated during registration and are required for configuring the RSP portal. They are customer-specific (per tenant).
| Information | Value | Notes |
|---|---|---|
| Client ID/Application ID | Automatically generated during registration | GUID format |
| Client Secret | Only shown during creation | Displayed once - store immediately! |
| Tenant ID | ID of the Microsoft Entra directory | GUID format |
| Redirect URL | https://<DNS-name-of-RSP-portal>/portal/index.php?option=com_sso | |
| Domain/Issuer URL | https://login.microsoftonline.com/<Tenant-ID>/v2.0 | |
| Authorization endpoint | https://login.microsoftonline.com/<Tenant-ID>/oauth2/v2.0/authorize | |
| Token endpoint | https://login.microsoftonline.com/<Tenant-ID>/oauth2/v2.0/token | |
| Refresh token endpoint | https://login.microsoftonline.com/<Tenant-ID>/oauth2/v2.0/token | Identical to token endpoint |
Transfer to RSP mbCONNECT24
After completing registration, provide the following values to RSP for portal configuration:
-
Client ID/Application ID
-
Client Secret
-
Tenant ID
-
All endpoint URLs (Domain, Authorization, Token, Refresh Token)
Known issues & Troubleshooting
Token issues during login
-
Symptom: Login fails, no token is returned.
-
Solution: Check under Authentication whether access_token and id_token are enabled under implicit grant.
Redirect URI mismatch
-
Symptom: Error message "AADSTS50011: The redirect URI specified in the request does not match..."
-
Solution: Ensure the redirect URI in the app registration (Authentication) exactly matches the configured URL in the portal, including query parameters.
References