Redgate Monitor 14

Setting up Microsoft Entra ID as your OpenID Connect Identity Provider

This documentation is intended to provide detailed information on how to set up Microsoft Entra ID (formerly Azure Active Directory) as your identity provider to enable authentication in Redgate Monitor via OpenID Connect. See our page on Authenticating with OpenID Connect for a general overview on this feature.


Pre-requisites

This guide assumes the following:

Creating your App registration

First you will need to create and configure your Entra app registration for Redgate Monitor:

  1. In the Microsoft Azure Portal, search for the Microsoft Entra ID service and navigate to that page



  2. In the Entra service page, click the Add button and then App registration



  3. In the Register an application page, choose a name for the application (e.g. Redgate Monitor) and select the supported account types that you will require. 
  4. In the same page, for Redirect URI select Web and enter the HTTPS endpoint that you would typically use to access Redgate Monitor through the browser with /openidconnectaccount as the path. For example: https://<machine-name>.domain:8080/openidconnectaccount



  5. Click Register to complete the app registration

Configuring your app registration

Before you can use your application integration in Monitor, you will need to make sure the app is correctly configured as follows:

  1. In the Manage > Authentication section of your app registration
    1. For Implicit grant and hybrid flows select ID Tokens



    2. For the Front-channel logout URL use the same URL you used for the Redirect URI, except with /signout-callback-oidc as the path. For example, https://<machine-name>.domain:8080/signout-callback-oidc
  2. In the Manage > Token configuration section of your app registration
    1. Click Add groups claim, and select Groups assigned to the application to limit the number of groups that are included in the ID tokens.
      Note that if you choose not to limit the groups to the application at this stage, you may encounter issues with token limitations. See this page for more information.



    2. Optionally, you can click Add optional claim and add preferred_username or email or another claim to the ID Token that can then be used as the Redgate Monitor username later if desired

Setting up and assigning groups

If you wish to use groups to streamline adding new users to Monitor you must set the group up within your Entra ID directory and add users from your organization into the group

  1. In the main dashboard of your Entra ID admin page, navigate to the Manage > Groups section 



  2. In this Groups page, click the New group button above the list of groups.
  3. In the New group configuration page, you should enter a group name (e.g. "Redgate Monitor Admins") and select Security as the type. 



  4. At this point, you can also add owners and members by selecting No members/owners selected and picking the identity object you wish to add from the list that pops up.



  5. After adding the group, navigate back to the Entra ID dashboard and go to the Manage > Enterprise applications section
    1. This page should contain a list of registered applications. Find and select the Redgate Monitor application that was added earlier
  6. In the Redgate Monitor application page, navigate to the Manage > Users and groups section and click Add user/groups



  7. On the Add assignment page, under "Users and groups" click None selected and then search for the group that was created earlier (e.g. "Redgate Monitor Admins") and select it, pressing Select and then Assign to add it to the application.



  8. This group will now show up in your list of group claims in the OIDC token that is issued to Monitor. 

Configuring your OIDC provider in Redgate Monitor

At this point your Entra ID app registration should be fully set up to work with Monitor, so all that remains is to create the configuration.

  1. In the Configuration page, under Users, click Authentication settings:



  2. Select Use OpenID Connect:



  3. A popup appears:




  4. Visit the Entra ID service dashboard and navigate to the Manage > App registrations section, then search for the Redgate Monitor app registration created earlier. Take a note of two values in the App registration Overview section:
    1. The Application (client) ID
    2. The Directory (tenant) ID
  5. Under Authority, you should enter https://login.microsoftonline.com/<tenant-id>/v2.0/ replacing <tenant-id> with the Directory (tenant) ID from step 4b above.
  6. Enter the Client ID, which will be the Application (client) ID from step 4a above.
  7. Enter the Username claim name or Group claim name. By default this should be preferred_username for the Username claim name, unless you have specified a different optional claim, and groups for the Group claim name.
  8. There is no need to enable Send ID token on logout. Entra ID does not require this.

  9. Add an Administrator user or group.

    1. If you have set up the Redgate Monitor Admins group as shown earlier in this guide, you should select the Group option. You will have to enter the Azure object ID of the group. You can find this if you navigate to the Entra ID dashboard and visit Manage > Groups and then search for your group.



    2. If you are using a single user as an Administrator you will need the Azure object ID for the user, which you can find in the Entra ID dashboard Manage > Users section by searching for the user, similar to groups.
  10. Click Save settings. Redgate Monitor logs you and all other users out.
  11. Access the login page for Redgate Monitor which should redirect you to your Identity Provider's login page.

In case of any problems or misconfiguration, follow Switching back to Redgate Monitor basic authentication.

Adding additional roles

After adding your OIDC configuration to Monitor, you will have an administrator group or user defined. If you want to add more roles (e.g. standard users) via groups, or individual users, then this must be configured separately.

  1. If you intend to create a new group, for example "RGMonitor Read Only Users", first you should repeat the steps outlined in Setting up and assigning groups.
  2. Take a note of the group's object ID, and follow our documentation on adding new OIDC users and groups to see how you can add it to Monitor

Didn't find what you were looking for?