Azure AD OAuth2

How to connect Azure Active Directory (AD) Single Sign-On (SSO) with OAuth2 in UI Bakery

Prerequisites

An Azure account with an active subscription.
Administrator rights on Microsoft Entra ID (former Active Directory).
A UI Bakery application up and running.

Create an Azure AD Application

Step 1: Create a New Application

Click on "Microsoft Entra ID" from the sidebar.
Choose "App registrations" and then click on "New registration".

Step 2: Configure the Application

Name your application.
Set the supported account types.
Set the redirect URI to https://YOUR_INSTANCE/auth/oauth2/callback
Click "Register" to create the application.

Configure OAuth2 in Azure

Step 1: Obtain Client ID and Secret

Go to the "Overview" tab of your newly created Azure application.
Note down the "Application (client) ID".

Step 2: Generate a Client Secret

Navigate to "Certificates & secrets".
Click on "New client secret" and follow the prompts.

Integrate Azure with UI Bakery

Step 1: Update environment variables

# Can be found in Overview tab
UI_BAKERY_OAUTH_CLIENT_ID=<your-application-id>
# do not mess it up with secret id, it should be secret value
UI_BAKERY_OAUTH_SECRET=<your-secret-value>
UI_BAKERY_OAUTH_SCOPE=User.Read
UI_BAKERY_OAUTH_EMAIL_KEY=upn
UI_BAKERY_OAUTH_GET_CLAIMS_FROM_TOKEN=true
# Replace <your-tenant-id> with Directory (tenant) ID from overview tab
# For multitenant integration use "common" instead of tenant ID
UI_BAKERY_OAUTH_AUTH_URL=https://login.microsoftonline.com/<your-tenant-id>/oauth2/v2.0/authorize
UI_BAKERY_OAUTH_TOKEN_URL=https://login.microsoftonline.com/<your-tenant-id>/oauth2/v2.0/token
UI_BAKERY_BRANDING_AUTH_SSO_BTN_TEXT=Login with Microsoft

Step 2: Restart your UI Bakery instance

Docker compose setup may be restarted with the following command:

docker compose down && docker compose up -d

Set up group claims for role synchronization (Optional)

If you need to enable role synchronization, then groups claim must be included in the access token. To achieve this, follow these steps:

Add groups claim in "Token configuration" section. Select groups types according to your requirements.
In the "Expose an API" section, configure Application ID URI with default value and create a new scope. Set the scope name to groups and configure the necessary settings
In the "API permissions" section, click Add a permission, select the APIs my organization uses tab, and search for the previously created scope by typing your app registration name or id.

Update the following environment variables and then restart your instance:

UI_BAKERY_SSO_ROLE_CLAIM=groups
# replace api://YOUR_APP_ID with "Application ID URI" from "Expose an API" section
UI_BAKERY_OAUTH_TOKEN_URL_ADDITIONAL_PARAMS={"scope": "api://YOUR_APP_ID/groups"}

Test the Integration

Attempt to log in to your UI Bakery application with `Login with Microsoft` button.
You should be redirected to the Azure AD login page.
After successful authentication, you should be redirected back to your UI Bakery application.

Troubleshooting

If you encounter issues during the integration, consider checking the following:

Make sure the Client ID and Client Secret are correctly configured in UI Bakery.
Validate the Redirect URI settings on both Azure and UI Bakery.
Check Azure logs for authentication errors.

PreviousOkta ODIC NextToken refresh

Last updated 1 year ago

Was this helpful?