Setting up External Authentication

Modified on Tue, 12 Dec, 2023 at 5:15 PM

Hopp supports OpenID Connect providers, such as Microsoft Entra ID - formerly known as Azure Active Directory. 

This means that we have added a 3rd option for Identity Provider setting in the configuration of the Hopp Portal:

  • Form: Application sign-in form
  • Windows: Windows NTLM Negotiation
  • External (new): External OpenID identity provider 

By utilizing an external identity provider like OpenID, you centralize user management. This means fewer passwords for users to remember and less administrative overhead for account creation, deletion, and password resets.

When setting up the Hopp Portal to use an external identity provider, there are 2 alternatives. 

Authentication only

Simplest is to just use the external provider to authenticate the user and leave the creation of users and their roles in place in the Portal. 

This alternative is pretty much identical to the other authentication options (sign in form or NTLM Negotiation). The only difference is the actual sign in experience.

Users are created and managed in the Portal.

To user this Authentication only option, set the UserManagement otion to 'Portal' in the OpenIdConnect section the Portal configuraion.

Authentication and User management

A more elaborate alternative is to shift the entire management of users out of the Portal and move it to the external provider. The external provider is then in charge of managing users and roles.

This alternative is suitable for larger organizations that already have a centralized infrastructure to manage users. 

When using this alternative, most actions on users in the portal will be disabled because they are managed through your organization's Identity Provider.

In fact, when a user has been authorized for the Portal in the external provider, they can access the Portal. The first time a user accesses the Portal after being authorized, a corresponding user profile is automatically created within MigFx. This streamlines the onboarding process, as Hopp administrators don't have to manually create accounts for each new user within the portal.

This feature ensures that user profiles in MigFx are always synchronized with your external identity provider, simplifying user management and reducing administrative overhead.

To user this Authentication only option, set the UserManagement otion to 'External' in the OpenIdConnect section the Portal configuraion

Configuring the Portal for an External Identity Provider

An external identity provider is configured in the appsettings.json of the Portal. 

This section in the appsettings holds the necessary configuration for the External Provider:

"OpenIdConnect": {
	"ClientId": "(the portal client id registered with the extenal idp)",
	"ClientSecret": "(the client secret)",
	"Authority": "(the url for the extenal idp)", 

	// Set the UserManagement setting to 
	// - "Portal" to manage users and roles in the portal. The external provider is only used for authentication
	// - "External" to defer creation and management of users to the external provider
	"UserManagement": "Portal",

	// Optionally map external roles to the roles defined by Hopp
	"RoleMapping": {
		"admin": "administrator",
		"external_role_2": "operator"
		// ... other mappings

Role mapping

When UserManagement is set to 'External', both the Users and their Roles will be managed by the external identity provider.

Hopp operates with these roles:

  • administrator
  • operator
  • manager
  • team
  • external

Normally these roles can be configured for the Portal application in the external identity provider. In this case the RoleMappings section can be deleted / commented out.

If for some reason it is necessary to define other roles names in the provider, the RoleMappings section can be used to map these names to the role names used by Hopp

Example: Microsoft Entra ID Configuration

The Hopp Portal can be configured to use any OpenID External Identity Provider. Here is a sample on how to create a client application in Microsoft Entra ID - formerly known as Azure Active Directory and configure the Portal to use it.

  • App Registration:
    1. Go to the Azure portal and navigate to "App registrations" to create a new app registration.

    2. Under the "Redirect URI" section, select the type as "Web."

    3. Set the URL to https://(Portal Url)/external-logincallback

  • Overview
    1. Under “Overview” copy the Application (client) ID. This will be used as the ClientId in the appsettings.json

    2. Copy the Directory (tenant) ID. Use this in the for the Authority in the appsettings.json. For Entra ID, the authority url is{Tenant ID}/v2.0

  • Credentials:
    1. Under "Certificates & secrets," generate a new client secret. Copy the “value” of the secret. This will be used as the ClientSecret in the appsettings.json

  • Endpoints:
    1. Note the "OAuth 2.0 authorization endpoint (v2)" and "OAuth 2.0 token endpoint (v2)."

  • Roles
    1. Add roles corresponding to Hopp's internal roles: administrator, operator, manager, team and external
    2. Note: If not all roles are mapped or are insufficient, you can use the RoleMapping section in the appsettings to map them


  • Enterprise Application
    1. In the Azure portal, navigate to "Enterprise Applications" and find the Enterprise Application with the same name corresponding to the App Registration just created.

    2. Go to “Users and groups” and assign user and groups to the roles previously created.


Fill the ClientId, ClientSecret, and Authority in appsettings.json with the appropriate values obtained from the above steps.

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article