Azure Entra ID Setup for SSO
warning
Beware that this documentation may be outdated or differ from your version of the external service.
Please refer to the official documentation provided by the external service for the most accurate information.
Breeze does not provide support for setting up external services, and does not take responsibility for any issues that may arise from following this documentation.
Creating an application in Azure for Single Sign-On (SSO) federation to your platform enables users to access multiple services with one set of login credentials, streamlining the authentication process and enhancing security. This step-by-step documentation will guide you through creating an Azure Active Directory (Azure AD) application and configuring it for SSO in order to integrate with Breeze.
Prerequisites
- Azure Subscription: You need an active Azure subscription.
- Azure Active Directory: Your Azure subscription must have Azure Active Directory (AD) / Azure Entra ID enabled.
- Admin Access: You must have administrative privileges in Azure AD to create and configure applications.
Step 1: Register a New Application in Azure AD
- Log into the Azure Portal: Navigate to https://portal.azure.com and sign in with your admin account.
- Access Azure Entra ID: From the left-hand side menu, select “Azure Entra ID”. This is your organization's directory service.
- Go to App Registrations: Find and click on “App registrations” to see a list of your applications.
- Register a New Application: Click on “New registration” at the top. This step is about telling Azure AD about your new application, so it knows how to handle authentication for it.
- Configure Application Settings:
- Name: Enter a descriptive name for your application.
- Supported account types: Choose who can use this application. For SSO across organizations, you might select “Accounts in any organizational directory”.
- Redirect URI (optional): Enter the URI where Azure AD will send responses to your authentication requests. You will receive this URL from the Breeze team!
- Register: Click on the “Register” button to create the application. This action generates a unique
Application (client) IDfor your application; note it down as it will be used later in the integration process.
Step 2: Configure Azure AD for OpenID Connect
- Access Your Application: Go back to “App registrations” in Azure AD and select the application you previously registered.
- Find and Configure Authentication: In the application's menu, locate and select
Authentication. This section allows you to set up how your application will authenticate users, which in this case will be via OpenID Connect. - Configure Redirect URIs:
- A Web Platform should already exist here with a Redirect URI if you completed Step 1. If not, follow these steps:
- Click on “Add a platform” and choose “Web” as the platform type. This indicates that your application will authenticate users from a web application.
- In the “Redirect URIs” field, enter the URL you have received from the Breeze Team. NOTE: You may have to enter this at a later stage as the URL is not known until the SSO Integration is completed.
- A Web Platform should already exist here with a Redirect URI if you completed Step 1. If not, follow these steps:
- Enable ID Tokens:
- Find the
Implicit grant and hybrid flowssection and check the box forID tokens (used for implicit and hybrid flows). This enables your application to receive ID tokens directly from Azure AD, which are crucial for OpenID Connect authentication.
- Find the
- Save the Configuration: After making these adjustments, click “Save” to apply your changes. Azure AD is now configured to use OpenID Connect for authenticating users to your application.
- Obtain Application (client) ID and Directory (tenant) ID:
- Note down the
Application (client) IDandDirectory (tenant) IDdisplayed on your application’s overview page. These are needed to configure your platform to authenticate with Azure AD using OpenID Connect.
- Note down the
Step 3: Assign Users and Groups through Enterprise Applications
- Navigate to Enterprise Applications: Since the "Users and groups" option is not directly available under the App registrations menu for your application, you need to access it through "Enterprise Applications." In the Azure portal, from the left-hand side menu, select "Azure Entra ID" and then choose "Enterprise applications." This section lists all the applications that are available for your organization, including the one you've just registered.
- Select Your Application: Find the application you registered in Step 1 by searching for its name in the list of enterprise applications. Click on your application's name to open its configuration settings.
- Access Users and Groups: Within your application's overview page, look for the "Users and groups" section. This is where you can manage who has access to your application. By assigning users and groups here, you control which individuals or groups within your organization can use the application to authenticate.
- Assign Users/Groups: Click on "Add user/group" to start adding users or groups to your application. This step is crucial for defining who will have access to your platform through Azure AD's Single Sign-On (SSO) capabilities.
- Choose Users/Groups: In the dialog that appears, you can search for and select the users or groups you wish to add. You can add individual users or entire groups, depending on your needs.
- Assign: After selecting the users or groups, click "Select" and then "Assign" to finalize the process. The selected users or groups are now granted access to your application, enabling them to use SSO to log in to your platform.
Step 4: Collect and send the following information to the Breeze Support Team:
- Application (client) ID: The unique identifier for your application in Azure AD.
- Directory (tenant) ID: The unique identifier for your organization's directory in Azure AD.
- Client secret: A secure key that your application uses to authenticate with Azure AD. This is generated in the Azure portal under your application's "Certificates & secrets" section.
danger
Make sure to keep the client secret secure and do not share it with unauthorized individuals. This key is essential for your application to authenticate with Azure AD and should be treated as sensitive information.
Send this information securely to the Breeze Support Team to complete the SSO integration.
Optional: Role assignment
If you want to assign roles to users based on their Azure AD group membership, you can do so by following these steps:
- Access Your Application: Go back to the application you registered in Azure AD.
- Find and Configure
Manifest: In the application's menu, locate and selectManifest. This section allows you to edit the application's manifest file, which contains the configuration settings for your application. - Add Role Assignments:
- In the manifest file, locate the
appRolessection and add the roles you want to assign to users based on their Azure AD group membership. For example:"appRoles": [
{
"allowedMemberTypes": [
"User"
],
"description": "Will be able to manage users in Breeze",
"displayName": "Breeze User Administrator",
"id": "f5726e54-b16d-483b-9847-4949c4517cfe",
"isEnabled": true,
"lang": null,
"origin": "Application",
"value": "userAdministration"
},
{
"allowedMemberTypes": [
"User"
],
"description": "Will get the Admin Role in Breeze",
"displayName": "Breeze Administrator",
"id": "d1c2ade8-98f8-45fd-aa4a-6d06b947c661",
"isEnabled": true,
"lang": null,
"origin": "Application",
"value": "admin"
}
- **Note:** The `id` field should be a unique identifier for each role. You can generate a GUID for this purpose.
- **Note:** The `value` field is the role name that will be assigned to users. This must match the role name in Breeze. For a list of available roles in Breeze, contact the Breeze Support Team. - In the manifest file, locate the
- Save the Manifest: After adding the role assignments to the manifest file, click “Save” to apply your changes. Azure AD is now configured to assign roles to users based on their group membership.
- Configure the role assignment in Breeze. See SSO Role Management for more information.
Conclusion
By completing these steps, you have successfully created an application in Azure for SSO federation to your platform. This setup enhances your platform's security and user experience by streamlining the login process. Remember to regularly review and update your SSO configuration to keep it secure and functional.