Setting up Microsoft Entra as your identity provider for WISdom SSO requires configuration in both Entra and WISdom. The Entra side involves creating an OIDC-compliant application, adding WISdom's redirect URIs, and collecting endpoint values. The WISdom side involves entering those values into the Connect SSO wizard.
WISdom supports two authentication flows: Authorization Code and Authorization Code with PKCE (Proof Key for Code Exchange). The flow you choose determines which fields are required in WISdom. Most of the Entra configuration is identical for both flows, and the only difference is whether you use a client secret.
For detailed steps within Entra, refer to Microsoft's app registration documentation.
Setup Sequence
- Create a new Entra application for WISdom
- Create application credentials
- Add WISdom redirect URIs
- Retrieve endpoint values from the metadata document
- Configure SSO in WISdom
Step 1 — Create a New Entra Application
- Log in to Azure and go to Entra.
- In the left navigation menu, select Manage › App Registrations.
- Select New Registration.
- Enter a name for the application. We recommend WISdom or Fortified WISdom.
- Save the registration.
Step 2 — Create Application Credentials
Both flows require a Client Credential ID (the Secret ID). Authorization Code also requires the Client Secret Value. PKCE does not use a client secret, and the Secret Value field is hidden in WISdom when PKCE is selected.
- On the application overview page, select Add a certificate or secret.
- Select + New client secret.
- Enter a name for the secret and set an expiration date.
For Authorization Code:
Before navigating away, copy both the Value (Client Secret Value) and the Secret ID (Client Credential ID). The Value is only visible at the time of creation.
For PKCE:
Copy only the Secret ID (Client Credential ID). The Secret Value is not used by WISdom and does not need to be saved for SSO purposes. A secret is created here because Entra requires this step to generate the credential container, but the secret string itself is not entered into WISdom.
The client secret has an expiration date. Note when it will expire and refresh it in WISdom before that date to avoid interruptions to user access.
Step 3 — Add WISdom Redirect URIs
- Return to the application overview page and select Add an Application ID URI.
- Select Add a Platform.
- Select Web as the platform.
- Under Web › Redirect URIs, add both of the following:
https://app.fortifiedwisdom.com/bff/v1/oauth/oidc-callbackhttps://app.fortifiedwisdom.com/login
- Under Front-channel logout URL, enter:
https://app.fortifiedwisdom.com/logout
- Select Save.
Step 4 — Retrieve Endpoint Values
- On the application overview page, select Endpoints.
- Copy the OpenID Connect metadata document URL and open it in a new browser tab.
- From the metadata document, locate and copy the following values:
| Field in WISdom | Metadata document key |
|---|---|
| Authentication URL | authorization_endpoint |
| Token URL | token_endpoint |
| Public Key URL | jwks_uri |
| Token Issuer | issuer |
- Return to the application overview page and copy the Application (client) ID. This is your Client Credential ID in WISdom.
Step 5 — Configure SSO in WISdom
- Go to Admin Console › Integration › Integrations.
- Under Available Apps, select SSO.
- In the Connect SSO dialog, select either the Authorization Code or PKCE tab depending on the flow you are using.
- Complete the fields on the first page:
| Field | Required | Value |
|---|---|---|
| Name | Yes | A display name for this SSO configuration |
| Issuer | Yes | issuer value from the metadata document |
| Audience | No | The aud value from your JWT, if required by your organization |
| Authentication Client ID | Yes | Application (client) ID from the Entra overview page |
| Authentication Client Secret | Authorization Code only | Secret Value from Entra Certificates & Secrets |
The Authentication Client Secret field is not shown when PKCE is selected. Only the Client ID is required.
- Select Continue.
- Complete the fields on the second page:
| Field | Required | Value |
|---|---|---|
| Authentication Endpoint | Yes | authorization_endpoint from the metadata document |
| Token Endpoint | Yes | token_endpoint from the metadata document |
| Public Key Endpoint | Yes | jwks_uri from the metadata document |
| Logout Endpoint | No | Your organization's logout URL, if applicable |
- Select Test connection to validate the configuration.
- If the test succeeds, select Save.
Saving the configuration immediately changes all users to use the configured SSO upon their next login. If there are accounts that should not be configured to use SSO, a ticket will need to be created with the WISdom support team so they can be reverted to utilize the Auth0 authentication. Send the support request with the account names to: WISdomSupport@Fortified.com.