Microsoft Entra ID - OpenID Connect

Microsoft Entra ID can be set up as an OpenID Connect authentication provider to log users into a different Relativity instance. You need to complete some steps within Microsoft Entra ID and Relativity to user Entra ID OpenID Connect.

Note: We support B2C (business-to-customer) SSO integration through the OIDC and SAML2 protocols. Customers whose provider supports either of these protocols can integrate with RelativityOne. The following steps focus on registering an Azure application and credentials for Entra ID. If you're setting up Relativity with EntraID External ID (formerly known as AzureAD B2C), please refer to Microsoft's documentation.

Registering an Azure application and credentials

Before you begin configuring Entra ID in Relativity, you will need to add Relativity as an application within Entra ID.

  1. Log in to Azure Portal.
  2. Click Microsoft Entra ID.

  3. Click New registration.
  4. Give the application a name.

  5. Click Register.

  6. Copy the Application (client) ID.

  7. Click the Endpoints button.

  8. Copy the OAuth 2.0 authorization endpoint (v2) URL.

  9. Trim the oauth2/v2.0/authorize from the URL. For example: 

    https://login.microsoftonline.com/8a3fa923-3223-4978-9d4d-fa012e19898b/oauth2/authorize
https://login.microsoftonline.com/8a3fa923-3223-4978-9d4d-fa012e19898b/

Review the following list of settings that display on the Authentication Provider form. You can configure or update these settings based on your authentication needs.

Authentication provider information

  • Name—enter a user-friendly name for the authentication provider.
  • Provider Type—select OpenID Connect.
  • Enabled—the provider is enabled by default. However, you can disable it.
  • Site URL—set the URL that users enter in the browser to access an instance of Relativity.

Authentication provider settings

  • OAuth2 Flow—select either Implicit or Code.
  • Client ID—enter the Entra ID's Application ID.
  • Display on Login Screen—determines if the OpenID Connect button displays on the login page.
  • Login Screen Button Text—determines the text that appears on the button displayed on the login page.
  • Authority URL—enter the Authority from the trimmed OAUTH 2.0 AUTHORIZATIONENDPOINT from step 9 in Configuring your external identity provider. See Microsoft Entra ID - OpenID Connect.
  • Scopes - the default value for this field is openid. The openid checkbox must be selected because it's a required setting. However, you can also select the email or profile option.

    The identity provider responds with the claims associated with the scopes that you request. In other words, the scopes translate into claims that you can use.

  • Subject Claim Type—the default value for this field is sub. Enter one of the following values based on the scopes that you set:
      Notes: In Microsoft Entra ID, email is an optional claim and is not included in the OpenID token by default. Consider using upn instead. Consult with your Entra ID administrator to determine which claim type is best suited for your organization. For more information, see the Microsoft documentation on optional claims.

    • If you selected only OpenID in the Scopes field, this field must be set to sub.
    • If you selected OpenID and email in the Scopes field, set this field to upn.
    • If you selected OpenID and profile in the Scopes field, set this field to a property available from the identity provider. These properties differ for each provider.

    The identity provider sends an identity token to you, which contains the claims for your selected scopes. When you request only the openid scope, then sub is used as the claim type. It often represents a unique identifier for the user within your system. If you are using Entra ID, then see Microsoft identity platform ID tokens for a full list of token identifiers.

  1. Log in to Entra ID and navigate to the application you created earlier, if you have closed the window.

  2. Click Authentication.

  3. Add your Redirect URL from the Relativity Authentication Provider.

    Note: Leave the Type as Web.

  4. Complete the scenario that matches the value you selected for OAuth2 Flow.

    • Scenario: you selected Implicit for OAuth2 Flow.
      1. Check the ID Tokens box.

      2. Click Save.
    • Scenario: you selected Code for OAuth2 Flow.

      1. Click Certificates & Secrets.

      2. Click New client secret.

      3. Click Add.

      4. Copy the client secret value.

      5. Navigate back to the Authentication Provider in Relativity.

      6. Click Edit.

      7. Paste the value for Client Secret with the value from step 4.

      8. Click Save.

  1. Click Azure Active Directory.
  2. Click Enterprise Applications.
  3. Click into the application that you’ve created for Relativity authentication.
  4. Click Users and groups.

  5. Click Add user.

  6. Select your users.
  7. Click Assign.