Authenticating users with OpenID Connect

With the standard setup users are authenticated internally in Crosser Control Center. If you already have a directory server where your users are registered you can use this for authenticating users with Crosser Cloud through Open ID Connect. To set up authentication with external directory servers you need to configure one or several Identity providers. An identity provider manages users from one or several domains. When a user tries to login with an email address containing a domain which belongs to one of the configured identity providers an authentication request will be sent to the external directory server, checking whether the user has a role that should give acces to Crosser Control Center. With the identity provider configuration you can also map roles and groups in the external provider against permissions in Crosser Control Center.

Note: You can only configure identity providers for domains that have been registered with your organization by Crosser.

Identity providers are configured on the Organization page, found in the user menu in the top right corner of the Crosser Control Center interface. On that page, select Identity providers in the left-hand menu. This opens up a list of currently defined identity providers, if any, and also allows you to add new providers.

When clicking on + Add Identity Provider a wizard opens up which takes you through three steps to complete the configuration.

Step 1: Basic information

The following settings are available:

Name

Required

Description

Name

Yes

The name of this configuration. Shown in the Identity provider listing.

Description

No

Optional description.

Client Id

Yes

The Client Id for Crosser obtained from your directory server.

Client Secret

Yes

The Client Secret for Crosser obtained from your directory server.

Authority

Yes

The URL to your OpenID Connect endpoint.

User Name Claim

Yes

The name of the claim that contains the user email address.

Note: Roles are mapped via the email-address of the user, hence we require a claim that has the users’ email-address

Get Claims From User Information Endpoint

No

Fetch additional user information from the external directory which was not included in the token due to size.

Note: Recommended for Microsoft Azure

Crosser Role

No

Role in the external directory required to get access to Crosser Control Center. If left empty all users will get access.

Disabled

No

If checked this identity provider is disabled and no requests to the external authentication server will be made.

Scopes

No

The scopes to be asked from the identity provider.

Note: Not needed in most setups

Role Claims

No

The claims that contain the roles.

Note: Not needed in most setups

Step 2: Domains

This step is used to map this configuration against one or several user domains. The domains listed here must be assigned to this organization by Crosser. A domain can only be managed by one identity provider, hence any domains already assigned to an identity provider will not be available for selection.

Step 3: Role Mapping

In the final step you can map roles and groups in the external directory against permissions in Crosser Control Center. Each external role can be mapped to one or several Crosser permissions and multiple external roles can be mapped to the same Crosser permissions. To add a new mapping enter a new name in the Role Name field and check one or several permissions in the list. Then click Add. All current mapping are shown in the list at the bottom of the page and here you can also modify and delete existing mappings.

Step 4: Finish

Once you have specified your configuration, press Finish. Afterwards you will see a Callback Path which you will need to provide to your external Identity Provider to redirect back authentication results for your Crosser Control Center instance.

Modifying Identity Provider configurations

Clicking on the edit icon to the right of an existing identity provider configuration in the list opens up the wizard so that you can make changes. Save your changes with the Update button or by clicking somewhere in the UI that will make you leave the wizard, you will then be asked if you want to save or discard your changes.

Using Azure Entra ID as identity provider

This section describes how you configure your Azure Entra ID for use with Crosser Control Center.

Initial setup in Azure

  1. Configure Azure groups to be used for access rights in Crosser Control Center:
    • Go toAzure Entra ID -> Groupsand create the groups you want to use to set up access rights inCrosser Control Center, or use any existing groups. At least one group is needed.
    • Write down theObject ID of the group(s) (this is a GUID).
    • Assign the users that should have access toCrosser Control Centerto the right groups.
  2. Create an App registration forCrosser Control Center:
    • Go toAzure Entra ID -> App Registrationsand create a new App Registration. If you don’t have any other preferences chooseAccounts in this organizational directory only (Standard Catalog only - Single tenant).
    • On theOverview page, write down theApplication (client) IDand click onEndpointsand copy theURLin theOpenID Connect metadata document, but skip the part afterv2.0/. The URL should look like this:https://login.microsoftonline.com/<guid>/v2.0/
    • On the newly created app registration clickAdd a certificate or secret. Save the secret value (client_secret, which is auto generated), you will not be able to access it later.
    • Go toAPI permissions -> Add a permission -> Microsoft Graph -> Delegated permissions -> RoleManagement.Read.Alland add it.
  3. Azure Entra ID roles limit (optional):
    • Azure Entra ID has a limit on the number of object IDs that it includes in the groups claim. The limit varies between token types as follows, 150 for SAML tokens, 200 for JWT tokens and 6 for Single Page applications. If a user belongs to more groups than this limit, then Azure Entra ID will not include any group in the claims.
    • It is possible to make sure that this limit is not reached. One way is to only include groups assigned to the application which the user is part of. To add groups to the application:
      • On theOverviewpage and click on the link next toManaged application in local directory.
      • Go toUsers and Groupsand click onAdd user/group
    • Go toToken configuration -> Add groups claimand uncheckSecurity groupsand make sure onlyGroups assigned to the applicationis checked.

Setup in Crosser Control Center

From the setup in Azure you should now have the following:

  • client_id
  • client_secret
  • Endpoint URL

Follow these steps to setup a new Identity Provider inCrosser Control Centerthat uses your Azure Entra ID:

  1. Create an Identity Provider, as described above
  2. Fill in theclient_idandclient_secretyou saved above when creating the app registration
  3. Set the authority to the endpoint URL you saved above (https://login.microsoftonline.com/<guid>/v2.0/)
  4. SetUsername Claimto email.
  5. Check theGet Claims From User Information Endpointcheckbox.
  6. Enter theGroup ID(as you saved above) of the group(s) that should be used to allow access toCrosser Control Center.
  7. Choose the domains you want to use with this AD.
  8. Use theGroup IDsto associate users to the appropriate roles inCrosser Control Center.
  9. PressFinish
  10. Copy theCallback Path.

Final setup in Azure

On theApp Registration Overview -> Add redirect URI -> Add a Platform -> Web, put the redirect URL from Crosser Control Center intoRedirect URIand pressConfigure.

You are done!
Users logging in to Crosser Control Center with a domain registered above will now be authenticated using your Azure Entra ID.

Search Documentation

Page Sections