Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.barndoor.ai/llms.txt

Use this file to discover all available pages before exploring further.

Overview

This guide walks you through configuring Microsoft Entra ID as an OIDC Identity Provider for Barndoor. Once complete, your users will be able to sign in to Barndoor with their Entra ID credentials and their group memberships will flow through for automatic role mapping.
Prerequisites:
  • Admin access to your Barndoor account
  • Admin access to a Microsoft Entra ID tenant (Global Administrator or Application Administrator role)
  • Your Entra Tenant ID handy (find it on the Entra Overview page)
For the generic, IdP-agnostic version of this flow (Okta, Google Workspace, JumpCloud, etc.), see the Connect your IdP guide.

Part 1 — Configure the application in Entra

You’ll do all the Entra-side work first, then come back and configure Barndoor with the values you collect along the way.

Step 1: Create the app registration

1

Open Entra App Registrations

In the Microsoft Entra admin center, go to IdentityApplicationsApp registrations, then click + New registration.
2

Fill in the registration form

  • Name: Anything you’d like (e.g. Barndoor SSO)
  • Supported account types: Choose Single tenant unless you have a specific reason to allow other tenants.
  • Redirect URI: Leave blank for now. You’ll come back and set this in Step 11, after Barndoor has generated the redirect URL.
Click Register.Entra Register an application form with Name and Single-tenant selected

Step 2: Add the email claim to the ID token

1

Open Token configuration

From your new app registration’s left nav, click Token configuration+ Add optional claim.
2

Add the email claim

  • Token type: ID (this is the one that matters for Barndoor)
  • Check the email claim and click Add.
If Entra prompts you to enable the email Microsoft Graph permission to make this claim work, accept it.Add optional claim panel with ID token type selected and the email claim highlighted

Step 3: Add the groups claim

1

Add groups claim

Still on Token configuration, click + Add groups claim.
2

Choose which groups to include

Pick one of:
  • Security groups or All groups — simple, includes every group the user is in.
  • Groups assigned to the application — recommended for larger tenants; only sends groups that have been explicitly assigned to the Barndoor app. This keeps the token small and limits exposure.
3

Set the group identifier to sAMAccountName

Under ID, Access, and SAML sub-sections, change Group ID to sAMAccountName.Edit groups claim panel showing sAMAccountName selected under ID, Access, and SAML
Optionally, also tick Emit groups as role claims — this sends groups as roles instead of groups. By default Barndoor maps them as groups, which is what most teams want.
Click Add.

Step 4: Edit the manifest (two changes the UI can’t make)

There are two adjustments Entra’s UI doesn’t surface that you must make in the raw manifest.
1

Open the manifest editor

From the left nav, click Manifest. Use Ctrl/Cmd-F to find the optionalClaims block.Entra app manifest JSON open with optionalClaims block visible
2

Mark the email claim as essential (ID token only)

Find the email entry under idToken and set essential to true:
{
  "name": "email",
  "source": null,
  "essential": true,
  "additionalProperties": []
}
Only set essential: true on the entry inside idToken. Do not mark it essential in accessToken or saml2Token.
3

Add cloud_displayname for groups

Find each groups entry (you’ll see sam_account_name listed) and add cloud_displayname to additionalProperties. Do this in all three of idToken, accessToken, and saml2Token:
{
  "name": "groups",
  "source": null,
  "essential": false,
  "additionalProperties": [
    "sam_account_name",
    "cloud_displayname"
  ]
}
This is the signal that tells Entra to emit group names rather than UUIDs.
4

Save the manifest

Click Save at the top of the manifest editor.

Step 5: Grant API permissions

1

Add Microsoft Graph delegated permissions

From the left nav, click API permissions+ Add a permissionMicrosoft GraphDelegated permissions.Tick the following four scopes:
  • email
  • offline_access
  • openid
  • profile
Click Add permissions.Entra API permissions screen showing email, offline_access, openid, profile granted for Microsoft Graph
2

Grant admin consent

Back on the API permissions screen, click Grant admin consent for your tenant and confirm. The Status column should flip to green checkmarks for all four scopes.API permissions with the Successfully granted admin consent banner and all scopes showing green checkmarks

Step 6: Create a client secret

1

Generate a new client secret

Go to Certificates & secretsClient secrets tab → + New client secret.
  • Description: e.g. Barndoor SSO
  • Expires: Max the value (24 months at time of writing). Entra requires an expiration.
Click Add.
2

Copy the Value immediately

Once the secret is created, copy the Value column (not the Secret ID) to your clipboard.Entra Certificates and secrets page showing newly created client secret with Value column highlighted
Entra only displays the secret value once. As soon as you navigate away from this page it is masked permanently. If you miss it, you’ll need to delete the secret and create a new one.
Mark your calendar. When the secret expires (24 months max), SSO will silently break. Rotate it in Entra and update Barndoor’s IdP config before the expiration date.

Step 7: Collect the remaining values

You’ll need three more values from Entra before switching over to Barndoor.
1

Get the Application (client) ID

Go back to Overview. Copy the Application (client) ID. Also note your Directory (tenant) ID — you’ll need it in Step 9.Entra app Overview page with Application (client) ID and Directory (tenant) ID visible in the Essentials panel
2

Get the Authority URL from Endpoints

Still on Overview, click Endpoints in the top bar. A side panel opens with a list of URLs. Copy the OpenID Connect metadata document / Authority URL (the first one, ending in /v2.0/.well-known/openid-configuration or similar).Entra Endpoints side panel listing OAuth, OpenID, SAML, and Federation metadata URLsYou’ll use this URL in Barndoor to auto-discover the OIDC endpoints — but you’ll then override the Issuer field with a different URL in Step 9. Read on.

Part 2 — Configure the IdP in Barndoor

Step 8: Open the Barndoor IdP setup form

1

Navigate to Identity Provider settings

In Barndoor, go to Identity Provider and start the Set up single sign-on (SSO) flow.
2

Fill in the basic fields

  • Display name: Whatever you’d like (e.g. Entra — Acme Corp)
  • Client ID: The Application (client) ID from Entra Overview (Step 7)
  • Client Secret: The secret Value you copied in Step 6

Step 9: Set the Issuer URL — the part that trips everyone up

This is the single most important step in this guide. Entra publishes one URL in its metadata, but stamps a different URL into the iss claim of every token it issues. Barndoor verifies the iss claim against the issuer URL you provide, so the two must match exactly — including a trailing slash.
1

Use the Authority URL to auto-discover endpoints

Paste the Authority URL from Step 7 into the Issuer URL field. Barndoor will use it to auto-fill Authorization URL, Token URL, JWKS URL, etc.
2

Now overwrite the Issuer URL

Replace the value in the Issuer URL field with:
https://sts.windows.net/<your-tenant-id>/
Substitute your Directory (tenant) ID from Step 7. The trailing slash is required.Barndoor IdP setup form with Issuer URL set to https://sts.windows.net/<tenant-id>/ and other endpoint fields auto-filled
Trailing slash is mandatory. Entra mints tokens with iss: "https://sts.windows.net/<tenant-id>/" (with the slash). If you omit it, every login will fail token validation with a wrong issuer from token error and there will be no useful surface-level UI feedback — you’ll only see it in the Identity Provider logs.This URL is not advertised in Entra’s metadata. You have to set it manually.
3

Save the connection

Click Save connection. Barndoor will store the configuration and reveal the Redirect URI in Step 2 of the setup wizard.

Step 10: Register the Redirect URI back in Entra

1

Copy the Redirect URI from Barndoor

On the Barndoor SSO setup page, you’ll see a Redirect URI that looks like https://auth.barndoor.ai/realms/.../broker/<your-idp-name>/endpoint. Click the copy icon.
2

Add it to Entra's Authentication settings

Back in your Entra app registration, click Authentication in the left nav → + Add a platformWeb.Paste the Redirect URI into the Redirect URIs field, then click Configure.Entra Authentication page with a Web platform configured and Barndoor Redirect URI added
Leave the Front-channel logout URL and Home page URL fields empty. Entra’s initiate-login behavior doesn’t interoperate with Barndoor’s flow today; setting these can cause confusing redirect loops.

Step 11: Test SSO end-to-end

1

Trigger the Test SSO flow

Back in Barndoor’s IdP setup, click Test SSO. A popup window opens and should redirect you to Entra’s sign-in page.Barndoor Test Connection
2

Sign in with an Entra user

Complete authentication. You should be returned to Barndoor with a success state on all four readiness pills (Connection: Good, Verification: Ready to test, Role mapping: Optional, Enforcement: Ready to set).Barndoor SSO setup page with all four readiness pills showing green/Good status
SSO is wired up. Users can now log in to Barndoor with their Entra ID credentials.

Step 12 (optional): Map Entra groups to Barndoor roles

Once SSO works, you can map Entra groups to Barndoor’s Admin role using the standard role-mapping flow — see Connect your IdP — Step 3: Configure Role Mapping.
Entra Free tier caveat. On Entra ID Free (which most trial tenants use), the cloud_displayname property added in Step 4 is silently ignored and groups arrive as UUIDs rather than human-readable names. Group claims still work — they just aren’t pretty.To get group display names in tokens you need Entra ID P1 or higher. If you’re stuck on Free, you have two options:
  1. Enter group Object IDs (UUIDs) in Barndoor’s role mapping configuration instead of group names. They’re stable per-group, just ugly.
  2. Use Emit groups as role claims (Step 3) which sends groups under the roles claim — Barndoor handles both.

Troubleshooting

Cause: The Issuer URL in Barndoor doesn’t exactly match the iss claim Entra stamped into the token.Fix: Ensure the Issuer URL is https://sts.windows.net/<tenant-id>/ — including the trailing slash. The login.microsoftonline.com/<tenant-id>/v2.0 URL from Entra’s metadata document is not the issuer; only use it for auto-filling the discovery endpoints. See Step 9.
Common causes:
  • The email claim isn’t in the ID token. Re-check Step 2 and confirm essential: true is set in the manifest under idToken only (Step 4).
  • The user signing in doesn’t have an email attribute populated in Entra. Verify on the user’s profile.
Fix: Check Barndoor’s Identity Provider logs for the missing-claim error and reconcile against Steps 2–4.
Cause: Entra ID Free does not honor the cloud_displayname additional property — it’s a paid-tier feature.Fix: Either upgrade to Entra ID P1+, configure Barndoor role mapping against Object IDs, or switch the groups claim to emit as roles (Step 3).
Cause: Most likely the Entra client secret expired. Entra caps secrets at 24 months and SSO breaks silently the moment they roll over.Fix: Rotate the secret in Certificates & secrets, copy the new Value, and update it in Barndoor’s IdP settings. Set a calendar reminder a few weeks before the next expiration.
Cause: The Redirect URI registered in Entra’s Authentication settings doesn’t exactly match the one Barndoor is sending.Fix: In Barndoor, recopy the Redirect URI from Step 2 of the SSO setup wizard. Paste it into Entra’s Authentication → Web → Redirect URIs. URLs are case- and trailing-slash-sensitive.

Recap

ValueWhere it comes fromWhere it goes
Application (client) IDEntra app → OverviewBarndoor Client ID
Client Secret (Value)Entra app → Certificates & secretsBarndoor Client Secret
https://sts.windows.net/<tenant-id>/Constructed manually (trailing slash!)Barndoor Issuer URL
Authority URL (from Endpoints)Entra app → Overview → EndpointsPasted into Barndoor Issuer field temporarily to auto-discover the other URLs, then overwritten
Redirect URIBarndoor SSO setup → Step 2Entra app → Authentication → Web platform
You’ve now connected Microsoft Entra ID to Barndoor for SSO. Continue to Role Mapping to finish auto-provisioning admins from your Entra groups.