Hello all,
I am attempting to set up MS Entra ID as an OIDC Identity Provider in Ignition 8.1.37 for a client.
When the MS Entra ID application is configured as single tenant everything works fine but only users from the client's MS tenant can authenticate with SSO.
The client would like to allow users in other MS tenants to be able to request access (for limited customer access without having to add additional user accounts to their own tenant).
I modified the Entra ID application to allow access from any organizational tenant (work/school account) and updated the OIDC manifest in Ignition.
After I made those changes, no logins would work, not even from the client's own tenant (with accounts that were testing successfully under single tenant).
I believe this is due to the Issuer field being having an variable {tenant ID} in the URL. Since any tenant could be requesting access, the tenant ID is not known until the login flow is complete.
The error logs show that there is an invalid claim as issuer value of https://login.microsoftonline.com//2.0 does not match https://login.microsoftonline.com/{tenantid}/2.0
Is there a way to use expressions or scripting to substitute the expected {tenantid} with the actual that from the iDP response?