We will create two applications:
The first application “Riot Admin” will allow administrators to connect to https://hub.tryriot.com. This application should only be assigned to Riot administrators.
The second application “Riot Employee Portal” will allow all employees to connect to their personal employee portal at https://app.tryriot.com. This application can be assigned to all OneLogin users.
1️⃣ Configuring the Riot Admin application
Connect to your Microsoft Entra admin center, and in the left menu, go to Entra ID > Enterprise Applications and click on “New application”.
Click “Create your own application”.
Name: The name of the application, for example ‘Riot Admin’.
What are you looking to do with your application? Integrate any other application you don't find in the gallery (Non-gallery).
Then click on “Create”.
Store “Application ID” (this will be needed later), and then click on “Single sign-on”.
Choose “Linked”.
In the “Sign on URL” field, enter the login URL that is being displayed on Riot and click on “Save”.
Then click on “Users and groups” and choose which users should see the app with “Add user/group”.
Then go to “App registrations” and enter the “Application ID” you saved earlier.
Go to “Authentication” and click on “Add Redirect URI”, then select “Web”.
In “Redirect URI” set https://api.tryriot.com/v2/hub/connect/oidc/callback and click on “Configure”.
Then go to “Certificate & Secrets”, click on “New client secret”, fill out the Description field and choose an option in “Expires”. Then click on “Add”.
Once generated, copy “Value” (this will be needed later).
Go to “Overview”, click on “Endpoints” and save the value of “Authority URL (Accounts in this organizational directory only)”.
Go to “Token configuration”, click “Add optional claim”, then:
Token type: ID.
Select
email,family_name,given_nameandpreferred_username.
Click “Add”.
Check “Turn on the Microsoft Graph email, profile permission (required for claims to appear in token)”, then click “Add”.
In “Riot”, fill:
“Issuer” with the value of “Authority URL (Accounts in this organizational directory only)”.
“Client ID” with the value of “Application ID”.
“Client Secret” with the value of the secret.
The user can now see “Riot Admin” in https://myapps.microsoft.com/index.html and connect to Riot.
2️⃣ Configuring the Riot Employee Portal application
Connect to your Microsoft Entra admin center, and in the left menu, go to Entra ID > Enterprise Applications and click on “New application”.
Click “Create your own application”.
Name: The name of the application for example Riot Employee.
What are you looking to do with your application? Integrate any other application you don't find in the gallery (Non-gallery).
Then click on “Create”.
Store “Application ID” (this will be needed later), then click on “Single sign-on”.
Choose “Linked”.
In the “Sign on URL” field, enter the second login URL that is being displayed on Riot and click on “Save”.
Then click on “Users and groups” and choose which users should see the app with “Add user/group”.
Then go to “App registrations” and enter the “Application ID” you saved earlier.
Go to “Authentication” and click on “Add Redirect URI” then select “Web”.
In “Redirect URI” set https://albert.tryriot.com/portal/auth/oidc/callback and click on “Configure”.
Then go to “Certificate & Secrets”, click on “New client secret”, fill out the Description field and choose an option in “Expires”. Then click on “Add”.
Once generated, copy “Value” (this will be needed later).
Go to “Token configuration”, click “Add optional claim”, then:
Token type: ID.
Select
email,family_name,given_nameandpreferred_username.
Click “Add”.
Check “Turn on the Microsoft Graph email, profile permission (required for claims to appear in token)”, then click “Add”.
In “Riot”, fill:
“Issuer” with the value of “Authority URL (Accounts in this organizational directory only)”.
“Client ID” with the value of “Application ID”.
“Client Secret” with the value of the secret.
The user can now see “Riot Employee” in https://myapps.microsoft.com/index.html, and will now be able to log in.