Base URL

The base URL of the API of the user store which will be concatenated with the user endpoints defined below.

Realm

The name of the user realm in keycloak. It can be used as tag in the urls of the endpoints.

Attribute Mapping

PrivacyIDEA Attribute

User Store Attribute

The left column defines the user attributes used in privacyIDEA and the right column the equivalent attribute in the user store.

User Groups

User Store Attribute Group Attribute in EntraID

HTTP Method

Endpoint with possible tags: {{ tag }}

User groups are received in a separate request and stored under the privacyIDEA attribute groups. Receive the users groups via the memberOf user attribute and store them under the privacyIDEA attribute groups.

Headers (JSON format)

If no custom headers are defined this header is used for all endpoints.

Edit user store

The user data in this user store can be modified from within privacyIDEA.

Verify TLS

Verify the TLS certificate of the server.

The file containing the CA certificate which signed the TLS certificate of the server.

Timeout (seconds)

Time in seconds privacyIDEA tries to reach the user store server.

Authorization

This section allows to configure an endpoint to which the privacyIDEA server must authenticate in order to receive an access token. This token can then be used to access the user store API.

You can find most of these settings in the app registration in the Entra Admin Center or you also have to add them there.

Authority

Tenant

Client ID

Client Credential

Type

Secret

This credential type does not support to check the user's password.

Specify the path to the private key file of the servers certificate. If you use an encrypted key, add the password here, otherwise leave the field empty. The server certificate must be uploaded in Entra's app registration as client credential.

Path to the private key file

Password for the private key

Thumbprint of the certificate

Username

Password

Configure the endpoint to authenticate the user with its username/userid and password.

Configure the endpoint to retrieve a list of users from the user store. The above defined attributes are added to the request as search parameters if they are available in the request.

Configure the endpoint to retrieve a single user for the UID. For example, privacyIDEA only stores the UID of the token owner. To resolve the complete user, this endpoint is used.

Configure the endpoint to retrieve a single user for the username. For example, when a user tries to authenticate against privacyIDEA, only the username is provided. To resolve the complete user and evaluate if the user exists, this endpoint is used.

Configure the endpoint to create a new user in the user store. The above defined attributes can be set in the UI and will be added to the request body. Additionally, you can define a password which must be specified in the request mapping using the tag "{password}".

Configure the endpoint to edit an existing user in the user store. The above defined attributes can be set in the UI and will be added to the request body. Additionally, you can define custom request parameters in the request mapping.

Configure the endpoint to delete an existing user from the user store.