Documentation

gitHub

Table of contents

OAuth setup with Entra ID

1. Register an Application in Microsoft Entra ID

Note: we start by the setup in Azure Entra ID

 

  1. Go to Azure Portal > Microsoft Entra ID > App registrations

  2. Click New registration

    1. Configure:
    2. Name (example): Collibra Integration

  3. Supported account types: usually Single tenant

  4. After creation:

    1. Save Application (client) ID
    2. Save Directory (tenant) ID

 

More detailed instructions in the official Microsoft documentation

 

2. Configure API Permissions of the Application

  1. Go to API Permissions in the left panel

  2. Add:

    1. User.Read  (required)
    2. openid profile offline_access (optional)

 

    Image

 

  1. Click Grant admin consent

 

3. Retrieve OpenID Configuration from the Overview of the Application

Copy the Entra well-known endpoint:

 

https://login.microsoftonline.com/{tenant-id}/v2.0/.well-known/openid-configuration

 

Or:

 

Go to Overview > Endpoints

Copy and open the link from the OpenID Connect metadata document

 

Image

 

From this JSON, extract:

  • jwks_uri → used in Collibra
  • issuer → used in Collibra

 

 

 

4. Map Values to Collibra Configuration

Note: need to configure Collibra using Collibra console

 

1. Open Collibra console: https://console-{company-domain}.collibra.com

2. Select your environment -> Data Governance Center >  Configuration >  Security configuration > JWT

 

Image

 

Next properties should be mapped:

 

 

Collibra JWT property nameFrom Entra IDExampleComment
JSON Web Key Set URLjwks_uri - from well-known endpoint endpointhttps://login.microsoftonline.com/{tenant-id}/discovery/v2.0/keys
JWT Token Typesat+jwt,jwtKeep default Collibra's value (if not changed token configuration in Entra ID)
JWT AlgorithmsRS256Leave it blank (if not changed token configuration in Entra ID)
JWT Issuerissuer - from well-known endpoint endpointhttps://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token
JWT Audiencefrom Access token for Entra ID applicationTo determine the JWT Audience, retrieve an access token from Microsoft Entra ID and decode it (for example, using jwt.io or Postman). Use the value of the audience claim from the token. Note: In some configurations, the Application ID URI may not be defined. In such cases, the audience is determined by the resource requested during token generation, so decoding the token is the only reliable method.
JWT Principal ID Claim NameOne of the supported values from claims_supported - from well-known endpoint endpointpreferred_usernameEnsure a Collibra internal user exists Username must match this claim value
JWT Maximum Clock SkewLeave it blank

 

 

 

 

On this page