Configuring Azure Active Directory as an OIDC Identity Provider
Warning: Pivotal Single Sign-On v1.11 is no longer supported because it has reached the End of General Support (EOGS) phase as defined by the Support Lifecycle Policy. To stay up to date with the latest software and security updates, upgrade to a supported version.
This topic describes how to integrate Azure Active Directory (Azure AD) as an identity provider for a Pivotal Single Sign‑On plan, by configuring OpenID Connect (OIDC) in both Single Sign‑On and Azure AD.
Azure Active Directory (Azure AD) is Microsoft’s multi-tenant cloud-based directory and identity management service. It is one of several identity providers you can use in a Single Sign‑On service plan.
To set up the integration, follow the procedures below:
Before you can set up a relying party in Azure AD, you must meet the prerequisites listed in Azure Active Directory OIDC Integration Guide Overview.
Follow the procedures below to set up a relying party in Azure AD.
To register a new app:
Log in to your Azure account and navigate to Azure Active Directory > App registrations.
Select + to create a New application registration. A configuration pane appears.
Enter a name of your choice in the Name field.
Select Web App/API from the Application type dropdown.
Enter the sign-on URL in the Sign-on URL field. You can use the URL for the login portal, if you want. This URL has the following pattern:
To create a client secret:
Use the search bar to find your app registration, and click on its listing in the search results.
Open the Keys tab.
Enter a name for the key in the DESCRIPTION field.
Select a duration appropriate for your security requirements in the EXPIRES field.
To create reply and endpoint URLs:
Under Reply URLs, configure and save the URL using the following pattern:
AUTH-DOMAINis the Auth Domain you entered in Create or Edit Service Plans.
ORIGIN-KEYis based on the Identity Provider Name you set in the SSO Operator Dashboard in Set Up OIDC Identity Provider in SSO as shown below. Do not use spaces or uppercase letters in this value.
Warning: The origin key does not change after it is assigned, even if the Identity Provider Name is modified.
Identify your Azure Tenant Name. One location you can use to help you identify this is the App ID URI which uses the form
For example, in the App ID URI
https://tenant.onmicrosoft.com/cj8472j2-d3d2-44b1-a2zf-ro5cd03f9584, the Azure Tenant Name is
Construct the URL for the OpenID Connect metadata endpoint by replacing
TENANT-NAMEwith your Azure Tenant Name in the following string:
Record these values for the next step, configuring your OpenID Connect identity provider in Single Sign‑On.
Follow the steps below to set up an OIDC provider for Single Sign‑On:
Follow steps 1–6 in Add an OIDC Provider.
Clear the Enable Discovery checkbox and enter the following information from the OpenID Connect metadata endpoint you constructed in the final step of the previous section.
For… Do the following… Authorization Endpoint URL Enter the
authorization_endpointvalue from the metadata endpoint.
Token Endpoint URL Enter the
token_endpointvalue from the metadata endpoint.
Token Key Enter the
jwks_urivalue from the metadata endpoint.
Issuer Enter the
issuervalue from the metadata endpoint.
User Info Endpoint URL Enter the
userinfo_endpointvalue from the metadata endpoint.
Response Type Select
codefrom the dropdown.
Relying Party OAuth Client ID Enter the Application ID you recorded in step 5 of Configuring Azure Active Directory as an OIDC Identity Provider. Relying Party OAuth Client Secret Enter the Client Secret you recorded in step 8 of Configuring Azure Active Directory as an OIDC Identity Provider.
openidas a scope. You can select additional scopes.
Under Advanced Settings > Attribute Mappings (optional) > User Attributes, select user_name as the User Schema Attribute and enter
unique_nameas the Attribute Name. This enables Single Sign‑On to identify the authenticated user.
(Optional) Configure additional attribute mappings.
Click Create Identity Provider to save your settings.
(Optional) Enable identity provider discovery for the service plan.