Configuring the web.config file for Microsoft Entra ID
This topic describes the settings added in the web.config file for Microsoft Entra / OIDC. These can be found in the <appsettings> section.
Property
Description
Default value
ida:Enabled
Determines if Microsoft Entra ID/OIDC is enabled or not. If this is set to false, then the following settings are not required.
ida:TenandId
This is a mandatory property. The value specified here is to be used for Entra login and OIDC Bearer Tokens.
This value is used in any URI that requires a [tenant ID].
ida:CliendId
This is a mandatory property. The client ID is associated with the current Web Interface instance. The value specified here is to be used for Entra login and OIDC Bearer tokens.
This value is used in any URI that requires a [client ID].
ida:ClockSkew
Determines the minutes allowed Clock Skew when validating Bearer tokens, this allows a grace period of minutes to allow for date/time variations. This value is required for Entra login and OIDC bearer tokens.
(Clock skew is the time difference between two clocks that should be synchronized).
5
ida:Discovery
URI used for Discovery of Services, specifically Signing keys when validating users. This value is required for Entra login and OIDC bearer tokens.
https://login.microsoftonline.com/{tenant-id}/v2.0/.well-known/openid-configuration
ida:AuthorizationEndPoint
This is the URI the user is directed to for authorization. This value is required for Entra login.
https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/authorize
ida:TokenEndPoint
URI required for clients to obtain tokens.
https://login.microsoftonline.com/{tenant-id}/oauth/v2.0/token
ida:Scopes
Determines scope checking for Bearer Tokens only. When scopes are defined, at least one scope must match. If no scopes are defined, scope checking is disabled and will be shown in status.log as:
ida:Scopes Configured: 0 (Scope checking will be disabled)
Contains the following two values:
user_impersonation
WINDCHILL_READ
ida:SignInScopes
Scopes sent when Sign in with Entra is made.
openid profile email.
ida:Audiences
Determines the Audience used for validation.
This value is required for Entra Login and OIDC Bearer Tokens.
Contains the following two values
[client ID]
https://database.windows.net
ida:Issuers
Determines the Issuer used for validation
This value is required for Microsoft Entra ID Login and OIDC Bearer Tokens
Contains the following two values
https://sts.windows.net/{tenant-id}/
https://login.microsoftonline.com/{tenant-id}/v2.0
ida:TrustedClientIds
Define which clients are trusted by the Web Interface REST API and OSLC. This can be used to provide access to a limited number of trusted clients. The clients are separated by a space. If no values are set, then all clients are trusted. If the values is empty, then the status.log file entry reads:
ida:TrustedClientIds Configured: 0 (All Clients will be trusted)
Note that this setting affects only those requests by clients with OIDC Bearer tokens.
* 
Web Interface should only be configured with either Microsoft Entra ID or PingFederate for Single Sign-On, not both.
Was this helpful?