Corral
Learn > Documentation

Stay updated

Back to site

Authentication

Corral uses your existing Entra ID (Azure AD) for authentication. SSO is configured automatically during deployment — no manual identity setup required.

How It Works

Automatic SSO Setup

During deployment, Corral creates an app registration in your Entra ID tenant and configures OpenID Connect. After a one-time admin consent flow, any user in your organization can sign in with their existing account.

There’s no separate user directory, no credential synchronization, no shadow identity system. Your Entra ID is the single source of truth for identity.

Authentication Flow

  1. User navigates to the Corral URL (Hub or Admin Console)
  2. Redirected to Microsoft Identity Platform login
  3. Authenticates with organizational credentials (supports MFA, conditional access — whatever your Entra ID policies enforce)
  4. Token issued with user identity, roles, and group memberships
  5. Corral validates the token and grants access based on app role assignments and per-node permissions

Protocol

  • OpenID Connect via Microsoft Identity Platform
  • Sign-in audience: AzureADMultipleOrgs (supports multi-tenant scenarios)
  • Token contents: User identity, app role assignments (Management, Workspace.Creator)

App Roles

Two app roles are defined on the Corral app registration:

RolePurpose
ManagementAccess to the admin console and management APIs
Workspace.CreatorAbility to create new workspaces

Roles are assigned to users directly via Entra ID app role assignments in the Azure portal (Enterprise Applications → Corral → Users and Groups).

This section is a work in progress.

After deployment, a Global Admin, Application Admin, or Cloud Application Admin completes a one-time admin consent flow. This authorizes the Corral app registration to:

  • Sign in users and read their profile
  • Read user roles and group memberships

This section is a work in progress.

What Your Identity Policies Control

Because Corral uses your Entra ID, your existing identity policies apply automatically:

  • Multi-factor authentication — if your Entra ID requires MFA, Corral requires MFA
  • Conditional access — location-based, device-based, risk-based policies apply
  • Session management — token lifetime, refresh policies, sign-in frequency
  • Account lifecycle — disabled accounts can’t access Corral; no separate deprovisioning needed

Corral doesn’t override or bypass any of your identity policies.

Consumer Accounts

For non-enterprise scenarios (SaaS trial, personal accounts), additional login providers are available:

  • Google OIDC — for users without Entra ID accounts
  • Corral Support — fallback access for development and support scenarios

These are not active in standard on-tenant enterprise deployments where Entra ID is the primary provider.