OIDC Management Login
Entra ID Administrator Access
Section titled “Entra ID Administrator Access”Reference: https://docs.pexip.com/admin/managing_admin_oidc.htm
Microsoft Entra ID configuration
Section titled “Microsoft Entra ID configuration”- Access Microsoft Entra Privileged Identity Management and navigate to Tasks > My Roles in the blade.
- From the My Roles screen, access Activate > Microsoft Entra Roles from the blade.
- Activate the Application Administrator role.
- This will trigger an MFA validation.
- Navigate to Microsoft Entra ID.
- Select Manage > App registrations
Under All Applications are the Pexip-related application registrations. These allow Pexip to be configured to access Entra as an identity provider.
Within each is a Client Secret entitled “Pexip Administration OICD client secret” which contains the secret value configured in the Pexip management interface.
| Application Name | Application (Client) ID |
|---|---|
Verify-by-Video Platform - Test - Pexip Administration OICD | 33758b54-a9cb-48ef-a363-5aaf10888f80 |
Verify-by-Video Platform - Prod - Pexip Administration OICD | 849cca37-34d6-42d9-bb7d-4d8592b385c5 |
Pexip OpenID Connect configuration
Section titled “Pexip OpenID Connect configuration”Administrator Authentication setup
Section titled “Administrator Authentication setup”The Authentication source is currently set to: OpenID Connect service, which requires a correct OpenID Connect configuration. If any changes are made to configuration that present some risk of interfering with connectivity between Entra ID and Pexip, admininstrators can change this to Local Database, and use the same username and password combination as was in use prior to v35’s introduction of OIDC administrator login. That username and password are in the kvlt-maxconf-test (for Test) or kvlt-maxconf-prod (for Production) Azure Keyvaults as the values for variables named pexip-user and pexip-pass.
Local Database should be disabled when not in use, and OpenID Connect service left as the only authentication option to ensure that Pexip access cannot be illegitimately granted without our corporate Entra ID service having first been compromised.
In the Pexip management web application, the OpenID Connect configuration section under Users & Devices > Administrator Authentication has the values for their respective app registration configured according to the Pexip documentation.
| OpenID Connect configuration field | Value |
|---|---|
| Metadata URL | the OpenID Connect metadata document value taken from the Endpoints panel in the App registration overview. |
| Client ID | the Application (client) ID from the App registration overview. |
| Authentication method | Client secret |
| Client secret | As configured under Management > Certificates & secrets per Pexip’s documetation |
| Scope | openid email profile GroupMember.Read.All offline_access |
| Username field | preferred_username |
| Groups field | groups |
| Required key | |
| Required value | |
| Login button text |
Administrative Role Mappings
Section titled “Administrative Role Mappings”First, an administrator role called “Read-write” must exist under Users & Devices > Administrator Roles. It should be granted all available permissions.
Next, in Users & Devices > Role Mapping we map an Entra ID Group to a Role in Pexip, granting OIDC logins for users in a particular Entra ID Group to inherit the complete set of administrative permissions provided by the Role created in the previous step.
The Entra ID role we have used to configur Pexip is (found in Azure under Microsoft Entra ID > Groups):
- Azure Roles - Maximus Conferencing Developers,
- with Object ID:
d48429bd-9f2a-47a2-a410-993f2a37876b.
The role mapping in Pexip has the following configuration:
| Role Mapping field | Value |
|---|---|
| Name | Azure Roles - Maximus Conferencing Developers |
| Source | OpenID Connect |
| Value | d48429bd-9f2a-47a2-a410-993f2a37876b |
| Roles | Read-write |