In this article

Use this article for an assist with setting up Active Directory (AD) single sign-on (SSO) with DNSFilter. DNSFilter supports SSO with any identity provider that uses the generic OpenID Connect (OIDC) authentication process, including AD.

DNSFilter is not an expert in configuring Entra ID, Active Directory, or Azure environments. Consult Microsoft's documentation for platform-specific guidance and best practices.

How Entra ID app registration and Enterprise Applications relate

When setting up SSO in Entra ID, the process involves two related components: an App Registration and an Enterprise Application. Creating an App Registration in Entra ID automatically generates a corresponding Enterprise Application in the background. These are not two separate setups—they are two views of the same application.

• The App Registration is where the application identity is configured: redirect URIs, client secrets, API permissions, and authentication settings
• The Enterprise Application is where user and group access is managed

DNSFilter does not use the Entra ID app gallery, so an Enterprise Application is not created directly. Complete the App Registration first, then locate the automatically generated Enterprise Application to assign users.

Step 1: Create an app registration

1. In Entra ID, create a new App Registration
2. Select Web for the platform
3. Enter the DNSFilter static authentication callback URL in the Redirect URI field: https://auth.dnsfilter.com/login/callback

✍️ MSPs: add the CNAME SSO URL in the Home Page URL field under Branding & Properties on the app registration. This allows the app to work from the Microsoft My Apps dashboard.

Step 2: Assign users and groups

User and group assignments are managed from the Enterprise Application, not the App Registration. To locate the Enterprise Application generated by the App Registration:

1. From Entra ID, navigate to Enterprise Applications and select All Applications
2. Search by the name used for the App Registration
3. Select the app and navigate to Manage > Users and Groups
4. Select Add User/Group to assign access
5. Set Assignment Required to Yes

See Assigning users and groups to an Enterprise App on Microsoft's site for additional guidance.

Step 3: Add a client secret

1. From the App Registration, navigate to Certificates & Secrets
2. Select New Client Secret and complete the required fields
3. Copy the Secret Value immediately after creation — this value is only visible once. Store it in a secure location or password vault

✍️ Keep track of the secret expiration date. Create a new secret and update the DNSFilter SSO configuration before the existing secret expires to avoid being locked out of the DNSFilter dashboard.

Step 4: Collect required values

Copy the following values from the App Registration to use during DNSFilter dashboard setup:

• Application (Client) ID
• Client Secret Value (from Step 3)
• OpenID Connect Metadata Document URL (found under Endpoints in the App Registration)

Step 5: Complete SSO setup in DNSFilter

From the DNSFilter dashboard, navigate to the SSO configuration and enter the values collected in Step 4. See Configure single sign-on (SSO) for DNSFilter for the complete dashboard steps.