Integration with Entra ID (Azure AD)#
If your company uses Microsoft Entra ID (Azure AD) for identity management, the integration with NVIDIA can be based on OpenID Connect.
Using the Entra ID (Azure AD) terminology, the NVIDIA identity federation system is an application registered within your Entra ID (Azure AD) tenant.
App Registration#
Your IT team can create a new app registration in your Entra ID (Azure AD) tenant. For this purpose, from the Entra ID (Azure AD) admin portal:
Follow the App registrations navigation link:
Click the New registration button:
A good name for the new app registration may be NVIDIA:
Client Credentials#
Once you have registered the new application, follow the Client credentials link to generate a client
secret:
Select the longest duration compatible with your organization’s policies (ideally at least two years):
Take note of the secret value for later handover to NVIDIA. The secret id does not have any use for the integration with NVIDIA.
Redirect URIs#
The NVIDIA identity federation system uses the following two redirect URIs, the first for the integration tests and the second for production:
Follow the Redirect URIs link for the new application registration:
Click the Add a platform button:
Select the Web platform option:
Add the two redirect URIs listed above. The final result should be as follows:
Support for User Groups#
You can share your AD user groups with NVIDIA. This capability is critical to enable fine grained user authorization decisions at the NVIDIA side. For example, you can manage access to specific NVIDIA services for your employees by managing their group memberships.
With Entra ID (Azure AD) there are two main options that allow to share only the groups that are relevant for the cooperation with NVIDIA. The following sections review both options.
Option 1 - Use App Roles (Recommended)#
As part of the properties of the application you have registered for NVIDIA, you can create one or more app roles:
Click App Roles:
Click Create app role:
Each app role has a display name and a value. The display name is for your own reference. The value will be shared with NVIDIA. In general, it may be a good choice to keep the two strings identical. For example:
Once you have created the app roles that you want to use with NVIDIA, you can go back to the top level of your Entra ID (Azure AD) admin console and click the Enterprise applications button:
Select the enterprise application that matches the application you have registered for NVIDIA, click the Users and groups button:
Click Add user/group:
The resulting dialog box allows you to assign any user and/or group to any of the app roles you have created for NVIDIA.
In this manner, the way you manage your assignment is totally invisible to NVIDIA. Moreover, you are in complete control of the app role values shared with NVIDIA.
Option 2 - Add the Groups Claim to the ID Token#
As part of the properties of the application that you have registered for NVIDIA, you can choose to configure the tokens and then opt to add the groups claim to the id tokens:
The configuration details allow to specify that only the groups associated with the application registration will be shared:
With this solution, only the group identifiers are shared with NVIDIA. In particular, the groups
claim is arranged as an array of group identifiers.
Although this approach is technically correct, the coordination with NVIDIA with the respect to what each group id represents is somewhat impractical and error prone. For this reason, whenever possible, we recommend the use of app roles described in the previous section.
Information to Be Provided to NVIDIA#
The following table specifies the information that NVIDIA needs to set up the integration.
Info |
Comments |
---|---|
Directory (tenant) id |
The identifier of your company in Entra ID (Azure AD) |
Application (client) id |
The identifier of the application you have registered for NVIDIA. Refer to the Integration with Azure AD > App Registration section for more details. |
Client secret |
The client secret generated for NVIDIA. Refer to the Integration with Azure AD > App Registration section for more details. |
List of email domains in use at your company |
NVIDIA will direct all the users with those email domains to log in with your identity management system. Refer to the Integration via OpenID Connect > Email Domains section for more details. |
Method used to share the user groups |
App roles (preferred) vs groups claim |