Integration with Entra ID (Azure AD)#

If your company uses Microsoft Entra ID (Azure AD) for identity management, the integration with NVIDIA can be based on OpenID Connect.

../../_images/ovc_azure_ad_overview.png

Using the Entra ID (Azure AD) terminology, the NVIDIA identity federation system is an application registered within your Entra ID (Azure AD) tenant.

App Registration#

Your IT team can create a new app registration in your Entra ID (Azure AD) tenant. For this purpose, from the Entra ID (Azure AD) admin portal:

Follow the App registrations navigation link:

../../_images/ovc_azure_app_registration_1.jpg

Click the New registration button:

../../_images/ovc_azure_app_registration_2.jpg

A good name for the new app registration may be NVIDIA:

../../_images/ovc_azure_app_registration_3.png

Client Credentials#

Once you have registered the new application, follow the Client credentials link to generate a client

secret:

../../_images/ovc_azure_client_credentials_1.jpg

Select the longest duration compatible with your organization’s policies (ideally at least two years):

../../_images/ovc_azure_client_credentials_2.jpg

Take note of the secret value for later handover to NVIDIA. The secret id does not have any use for the integration with NVIDIA.

Redirect URIs#

The NVIDIA identity federation system uses the following two redirect URIs, the first for the integration tests and the second for production:

Follow the Redirect URIs link for the new application registration:

../../_images/ovc_azure_redirect_uris_1.jpg

Click the Add a platform button:

../../_images/ovc_azure_redirect_uris_2.jpg

Select the Web platform option:

../../_images/ovc_azure_redirect_uris_3.png

Add the two redirect URIs listed above. The final result should be as follows:

../../_images/ovc_azure_redirect_uris_4.png

Support for User Groups#

You can share your AD user groups with NVIDIA. This capability is critical to enable fine grained user authorization decisions at the NVIDIA side. For example, you can manage access to specific NVIDIA services for your employees by managing their group memberships.

With Entra ID (Azure AD) there are two main options that allow to share only the groups that are relevant for the cooperation with NVIDIA. The following sections review both options.

Information to Be Provided to NVIDIA#

The following table specifies the information that NVIDIA needs to set up the integration.

Info

Comments

Directory (tenant) id

The identifier of your company in Entra ID (Azure AD)

Application (client) id

The identifier of the application you have registered for NVIDIA. Refer to the Integration with Azure AD > App Registration section for more details.

Client secret

The client secret generated for NVIDIA. Refer to the Integration with Azure AD > App Registration section for more details.

List of email domains in use at your company

NVIDIA will direct all the users with those email domains to log in with your identity management system. Refer to the Integration via OpenID Connect > Email Domains section for more details.

Method used to share the user groups

App roles (preferred) vs groups claim