Configuring Azure Active Directory as an OIDC Identity Provider

This topic describes how to integrate Azure Active Directory (Azure AD) as an identity provider for a Pivotal Single Sign‑On plan, by configuring OpenID Connect (OIDC) in both Pivotal Single Sign‑On and Azure AD.

Overview

Azure Active Directory (Azure AD) is Microsoft’s multi-tenant cloud-based directory and identity management service. It is one of several identity providers you can use in a Pivotal Single Sign‑On service plan.

To set up the integration, follow the procedures below:

  1. Set up a Relying Party in Azure AD
  2. Set up the OIDC Identity Provider in Pivotal Single Sign‑On

Prerequisites

Before you can set up a relying party in Azure AD, you must meet the prerequisites listed in Azure Active Directory OIDC Integration Guide Overview.

Set Up a Relying Party in Azure AD

Follow the steps below to set up a relying party in Azure AD.

  1. Log in to your Azure account and navigate to Azure Active Directory > App registrations.

    Azure oidc app registrations

  2. Select + to create a New application registration. A configuration pane appears.

    Azure oidc new app reg

  3. Under Application type, select Web App/API and enter any Name and any Sign-on URI. You can optionally enter the full Auth Domain URL generated based on the Auth Domain setting you used when you created the service plan that you are integrating with Azure AD.

    Azure oidc app reg create

  4. Use the search bar to find your app registration, and click on its listing in the search results.

    Azure oidc app reg searched

  5. Record the Application ID displayed on the screen. This is the Relying Party OAuth Client ID.

    Azure oidc app reg id

  6. Open the Keys tab to generate your Client Secret.

    Azure oidc app keys

  7. Enter any name for the description of the key and select the appropriate duration for your security requirements.

    Azure oidc app secret set

  8. Click Save to generate your key value. This value is the Relying Party OAuth Client Secret. Record this value for future use.

    Azure oidc app secret show

  9. Under Reply URLs, configure and save the URI of the form https://AUTH-DOMAIN/login/callback/ORIGIN-KEY where:

    • AUTH-DOMAIN is the Auth Domain setting you entered when you created the service plan that you are integrating with Azure AD.
    • ORIGIN-KEY is based on the Identity Provider Name you set in the SSO Operator Dashboard in Set Up OIDC Identity Provider in SSO as shown below. Do not use spaces or uppercase letters in this value. You might need to change this later.

    Azure oidc reply

  10. Identify your Azure Tenant Name. One location you can use to help you identify this is the App ID URI which uses the form https://TENANT-NAME/APPLICATION-ID.

    For example, in the App ID URI https://tenant.onmicrosoft.com/cj8472j2-d3d2-44b1-a2zf-ro5cd03f9584, the Azure Tenant Name is tenant.onmicrosoft.com.

    Azure oidc tenant name

  11. Construct the URL for the OpenID Connect metadata endpoint by replacing TENANT-NAME with your Azure Tenant Name in the following string: https://login.microsoftonline.com/TENANT-NAME/.well-known/openid-configuration. Example: https://login.microsoftonline.com/tenant.onmicrosoft.com/.well-known/openid-configuration

    Record these values for the next step, configuring your OpenID Connect identity provider in Pivotal Single Sign‑On.

    Azure oidc connect string

Set Up the OIDC Identity Provider in Pivotal Single Sign‑On

Follow the steps below to set up an OIDC provider for Pivotal Single Sign‑On.

  1. Follow steps 1–6 in Add an OIDC Provider.

  2. Clear the Enable Discovery checkbox and enter the following information from the OpenID Connect metadata endpoint you constructed in the final step of the previous section.

    For… Do the following…
    Authorization Endpoint URL Enter the authorization_endpoint value from the metadata endpoint.
    Token Endpoint URL Enter the token_endpoint value from the metadata endpoint.
    Token Key Enter the jwks_uri value from the metadata endpoint.
    Issuer Enter the issuer value from the metadata endpoint.
    User Info Endpoint URL Enter the userinfo_endpoint value from the metadata endpoint.
    Response Type Select id_token from the dropdown.
    Relying Party OAuth Client ID Enter the Application ID you recorded in step 5 of Configuring Azure Active Directory as an OIDC Identity Provider.
    Relying Party OAuth Client Secret Enter the Client Secret you recorded in step 8 of Configuring Azure Active Directory as an OIDC Identity Provider.

  3. Select openid as a scope. You can select additional scopes.

  4. Under Advanced Settings > Attribute Mappings (optional) > User Attributes, select user_name as the User Schema Attribute and enter unique_name as the Attribute Name. This enables Pivotal Single Sign‑On to identify the authenticated user.

  5. (Optional) Configure additional attribute mappings.

  6. Click Create Identity Provider to save your settings.

  7. (Optional) Enable identity provider discovery for the service plan.