1. Sign in to the Microsoft Entra admin center using a GCC High account.
2. Navigate to:I dentity » Applications » App registrations
3. Click: New registration
4. Enter a name, select the supported account types (typically Single Tenant for GCC High), and click Register.

1. In the app overview, note the:
• Application (client) ID
• Directory (tenant) ID
2. Navigate to: Authentication » Add a platform » Web
3. Enter the redirect URI from your OIDC application: https://your_domain.cetecerp.com/goapis/api/v1/auth/ping/callback
4. Under Implicit grant and hybrid flows, select ID tokens if required by your application.

1. Navigate to: Certificates & secrets » New client secret
2. Add a description and expiration, then click Add.
3. Copy the secret value immediately, as it will not be shown again.

1. Navigate back to the Overview page and click Endpoints.
2. Copy the OpenID Connect metadata document URL.
3. This URL is needed to configure your application's OIDC connection.

1. Navigate to: Admin » Config Settings » Config Setting
2. Search: sso
3. Configure the following settings:
1. Oidc Sso Enforcement = 1 (recommended for setup) or 2 (SSO mandated with no local auth fallback)
2. Oidc Sso Provider = entra_id or entra_id_gcchigh
3. Oidc Sso Environment Id = Directory (tenant) ID
4. Oidc Sso Client Id = Application (client) ID
5. Oidc Sso Client Secret = Client Secret Value
6. Oidc Sso Discovery Url = OpenID Connect metadata document

Users will need their email set on their profile, or their username will need to match in order to get picked up automatically.

Ensure all URLs use login.microsoftonline.us rather than the public login.microsoftonline.com.

The configuration metadata URL follows the format: https://login.microsoftonline.us/<Tenant ID>/v2.0/.well-known/openid-configuration

The issuer authority should be https://login.microsoftonline.us/<Tenant ID>.