Adding the SNS application to your Microsoft Entra ID tenant

Log in to the Microsoft Entra ID administration center, then access the Identity > Applications > Application registrations menu.

Creating the SNS application in the Microsoft Entra ID tenant

  1. Go to Identity > Applications > Application registrations.
  2. Click on New registration.
  3. Name the application (e.g., SNS Connector).
  4. Under Supported account types, select Accounts in this organization directory only.
  5. For the redirect URI, select Web as the type and a first redirect URI in one of the following forms:
    • Captive portal: https://<firewall_fqdn>/auth/v1/oidc/token/portal
    • SSL VPN: https://<firewall_fqdn>/auth/v1/oidc/token/sslvpn
    • Web administration interface: https://<firewall_fqdn>/auth/v1/oidc/token/webadmin
      • NOTE
      An initial redirect URI must be entered for any new application.
  6. Click on Register.

Adding more redirect URIs to your application (optional)

If you would like to add other redirect URIs to your application in order to access additional services:

  1. In the Databases section, click on the link to Web redirect URIs.
  2. In the Web section, enter the URI in one of the following forms:
    • Captive portal: https://<firewall_fqdn>/auth/v1/oidc/token/portal
    • SSL VPN: https://<firewall_fqdn>/auth/v1/oidc/token/sslvpn
    • Web administration interface: https://<firewall_fqdn>/auth/v1/oidc/token/webadmin
  3. Click on Add a URI to set an additional URI.
  4. Click on Save to confirm your configuration.

Creating a client secret for the application

This operation consists of generating a secret that will be entered on the SNS firewall to allow it to access the application.

  1. In Certificates & secrets > Client secrets tab, click on New client secret.
  2. Enter a description and select an Expiry date for the secret.
    The default value is 6 months (180 days).
  3. Confirm.
    The secret will appear in the list.
    4. IMPORTANT
    Click on the Copy to the clipboard icon next to the value of the secret and keep it until you add it to the Entra ID configuration on the firewall.
    This secret can no longer be displayed once you exit the Microsoft Entra ID module.
    If you forgot to copy the secret before exiting the module, you will need to create a new secret.

Creating an application token containing the necessary claims

When the user authenticates on Microsoft Entra ID, the firewall receives a token containing the user's name, the groups in which the user is a member, and the application roles that were assigned to the user (optional) in order to determine user authorizations.

  1. In the Token configuration menu, click on Add an optional claim.
  2. Select the ID token.
    The list of claims appears.
  3. Select the preferred_username checkbox.
    This makes it possible to include the user's identity information (first and last names) in the token.
  4. Click on Add.
  5. Click on Add a group claim.
  6. Select the Security groups checkbox.
  7. Ensure that the ID associated with this token is set to Group ID.
    This makes it possible for the token to include the list of groups in which the user is a member. Note that for free licenses, this option is restricted to the first 200 groups to which the user belongs.
    8. NOTE
    The number of groups to be included in the token can be restricted to the groups affected by the application, by selecting the option Groups assigned to the application (recommended for large companies to avoid exceeding the maximum number of groups that a token can issue). This option exists only with a paid P1 license.

Granting administrator consent to the application for the entire tenant

When users connect to Microsoft Entra ID for the first time, they are asked to consent to sharing <preferred_username> information with the application. The administrator of the tenant may give overall consent for all users of the tenant.

  1. In Security > Permissions, click on Grant admin consent for <application_name>.
    A window appears, asking you to accept the permissions.
  2. Click on Accept.

Creating application roles and assigning them to Microsoft Entra ID tenant users (optional)

Application roles can be defined to grant specific access privileges to users.

For example: allowing a user to access the firewall configuration in read-only or read/write mode, allowing a user to sponsor ( more information on the sponsorship feature in the SNS user guide), granting users permissions to set up SSL VPN tunnels, etc.

There are four default application roles on the firewall:

  • Administrators: access in read/write to the firewall web administration interface.
  • Auditors: access to the firewall web administration interface in read-only mode.
  • Sponsors: permission to sponsor temporary users.
  • SSLVPN users: permission to set up an SSL VPN tunnel with the firewall.

IMPORTANT
If you choose to use application roles for permissions, they must have an identical UID on the Microsoft Entra ID tenant and on the SNS firewall that uses OIDC/Microsoft Entra ID authentication (e.g.,SNS.Config.All.Write or SNS.SSLVPN).
The configuration of application roles on the firewall is covered in the section Configuring the firewall for OIDC/Microsoft Entra ID authenticationauthentication.

  1. Specify the Role display name.
  2. Select the Users/Groups checkbox.
  3. In the Value field, specify the permissions assigned through this role as a sequence of SNS permissions (e.g., SNS.Config.All.Write or SNS.SSLVPN).
  4. Select the checkbox Enable this application role? if you wish to use this role in your Microsoft Entra ID application.
  5. Repeat steps 2 to 7 to create all the desired roles.