Azure Active Directory (Azure AD) is a cloud-based identity and access management service. This service helps your employees access external resources**,** such as Microsoft 365, the Azure portal, and thousands of other SaaS applications.
{% hint style="info" %} OpenID Connect is available only in the enterprise edition for self-hosted instances, and only the Superuser of your Appsmith Instance can set up OIDC. {% endhint %}
To configure OpenID Connect(OIDC) within Appsmith using Active Directory as an OIDC provider, follow these steps:
{% embed url="https://youtu.be/GDOVdeIe3VU" %} Creating an application in Active Directory {% endembed %}
- Log in to your Azure account and click on More services.
- Click on Azure Active Directory and hit “+Add.” From the "+Add" dropdown, select “App Registration.”
- Under App Registration:
- Name: Give your App a meaningful name.
- Supported account types: Select “Accounts in this organizational directory only (Default Directory only - Single tenant)."
- Redirect URL: select the application type as Web for Platform and add the redirect URL (Copied from the OIDC window in Appsmith’s Admin Settings).
- Click on Register to create the application.
On the application homepage, go to the overview tab and perform the following actions under the essentials dropdown:
- Copy the Application (client) ID and paste it under the Client ID in the OIDC configurations in Appsmith.
- For Client secret, click on “Client credentials: Add a certificate or secret.”
- In the “Certificates and Secrets window,” go to the Client secret tab and click on “New client secret.”
- Add the key's description and expiration time in the “Add a client secret” pop-up. Click on Save.
- Copy the value of the new Client secret and add it under Client secret in the OIDC configurations in Appsmith.
{% embed url="https://youtu.be/AcpfV0sQ26w" %} Creating a new Client secret in Active Directory {% endembed %}
- Click the Endpoints tab under App overview and copy the OpenID Connect metadata document URL.
{% embed url="https://youtu.be/v6N09_Q5LoY" %}
- Open the metadata URL in a browser window and copy the following configurations from the above link and add them to OIDC Configurations on Appsmith:
Azure Active Directory Configuration | OIDC configuration field in Appsmith |
---|---|
authorization_endpoint | Authorization URL |
token_endpoint | Token URL |
userinfo_endpoint | User Info URL |
jwks_uri | JWK Set URL |
The scope defines the OpenID Connect (OIDC) scopes that allow you to authorize the access of user details ( after a user is successfully authenticated) like name, email, profile picture, and more. Each scope maps to a set of user attributes and returns its value. You'll see the Scope field below the JSON Web Key Set:
Appsmith needs openId as a mandatory scope. You can add more scopes if the need be. You'll have to ensure that the same is available at Active Directory.
{% embed url="https://youtu.be/CkUOXc1u87A" %} Configuring scopes in Active Directory {% endembed %}
To configure scopes/permissions on Active Directory, follow the steps below:
- Go to API permissions on the left panel.
- Click on Add a permission button.
- Under Request API permissions, Select Microsoft Graph and click on Delegated permissions.
- Select the following permissions:
- Under OpenID permissions-
- openid
- Profile
- Under User permissions-
- User.Read
- Under OpenID permissions-
- Once complete, these scopes will get added to the Active Directory application.
- Click on Grant admin consent for Default Directory on the top of the table, next to Add a permission button.
The username attributes define the attributes used as usernames for authentication. You can add the attribute to this field that you consider for logging.
For Active Directory, Appsmith considers "sub" address as username. Please ensure that you have added "sub" as an attribute in the Username Attribute field.
- Save the changes and restart your application by clicking
SAVE & RESTART
button.
- You’ll see the SIGN IN WITH OIDC SSO on the Appsmith’s login screen.