Configuring Azure Active Directory as an OIDC Identity Provider

Note: Pivotal Platform is now part of VMware Tanzu. In v1.12 and later, Pivotal Single Sign‑On is named Single Sign‑On for VMware Tanzu.

This topic describes how to integrate Azure Active Directory (Azure AD) as an identity provider for a Single Sign‑On for VMware Tanzu plan, by configuring OpenID Connect (OIDC) in both Single Sign‑On and Azure AD.

Overview

Azure Active Directory (Azure AD) is Microsoft’s multi-tenant cloud-based directory and identity management service. It is one of several identity providers you can use in a Single Sign‑On service plan.

To set up the integration:

  1. Set up a Relying Party in Azure AD
  2. Locate the OIDC Metadata
  3. Set up the OIDC Identity Provider in Single Sign‑On

Prerequisites

Before you can set up a relying party in Azure AD, you must:

Set Up a Relying Party in Azure AD

Here are some helpful Azure guides that can assist with any questions. Note that Azure functionality, UI, and documentation can change frequently. The text and screenshots below are included for reference only. If there is a discrepancy or issue in the guidance below, raise an issue on GitHub using the link at the bottom of the page.

Note: Azure Active Directory v1 and v2 have slightly different integration instructions. This guide is written for v2. Notes such as this one will call out when v1 is different than v2.

Follow the procedures below to set up a relying party in Azure AD:

  1. Register a New App
  2. Generate a Relying Party OAuth Client Secret
  3. Configure Redirect URIs

Register a New App

To register a new app:

  1. Log in to your Azure account and navigate to Azure Active Directory > App registrations.

  2. Select + New registration to create a New application registration.

    Screenshot of the "Register an application" tab. "Name", "Supported account types", and "Redirect URI (optional)"
form inputs are shown.
The description for the "Name" input is
"The user-facing display name for this application (this can be changed later)".
The description for the "Supported account types" input is "Who can use this application or access this API?".
The description for the "Redirect URI (optional)" input is
"We’ll return the authentication response to this URI after successfully authenticating the user.
Providing this now is optional and it can be changed later,
but a value is required for most authentication scenarios.".

  3. Enter a name of your choice in the Name field.

  4. Select an option for Supported account types. To make an appropriate selection, consult your security organization and the Azure documentation. Record this choice because your OIDC Discovery Metadata URL depends on this choice.

  5. Leave Redirect URI (optional) blank. You provide this later.

  6. Click Register. This redirects you to the app configuration page.

  7. Copy the Application (client) ID from the app configuration page. This is the Relying Party OAuth Client ID that will be provided in the Operator Dashboard in a later step.

Generate a Relying Party OAuth Client Secret

To generate a relying party OAuth client secret:

  1. Navigate to the app’s configuration page. If you just completed the previous step, you should already be on this page. Otherwise, search for your app name in the App registrations list.

  2. Select Certificates & secrets.

  3. Select + New client secret. Provide description and expiration length that follows your security organization’s guidelines. Then click Add.

  4. Copy the Value corresponding to the newly-created Client secret. This is the Relying Party OAuth Client Secret that will be provided in the Operator Dashboard in a later step.

Configure Redirect URIs

To configure redirect URIs:

  1. Navigate to the app’s configuration page. If you just completed the previous step, you should already be on this page. Otherwise, search for your application name in the App registrations list.

  2. Select Authentication.

  3. Under Platform configuration select + Add a platform.

    Screenshot of the application configuration page's Authentication page,
 where you can configure "Platform configurations", "Supported account types", and "Advanced Settings"

  4. Under Web Applications, choose Web.

  5. Under Redirect URIs, specify a URL using the following pattern:

    https://AUTH-DOMAIN.login.SYSTEM-DOMAIN/login/callback/ORIGIN-KEY
    

    Where:

    • AUTH-DOMAIN is the Auth Domain you entered in Create or Edit Service Plans.
    • SYSTEM-DOMAIN is the domain for system-level components you chose when installing the TAS for VMs tile.
    • ORIGIN-KEY is based on the Identity Provider Name you set in the SSO Operator Dashboard in Set Up the OIDC Identity Provider in Single Sign‑On below. Do not use spaces or uppercase letters in this value.

    Warning: The origin key does not change after it is assigned, even if the Identity Provider Name is modified.

  6. Leave Logout URL and Implicit grant empty, and click Configure.

    Screenshot of configuring a web platform's "Redirect URI",
where "Logout URL" and "Implicit grant" are left empty.

Locate the OIDC Metadata

The Azure Active Directory v2 metadata URL takes the form of https://login.microsoftonline.com/TENANT/v2.0/.well-known/openid-configuration.

Note: Azure Active Directory v1 metadata URLs take the form of https://login.microsoftonline.com/TENANT/.well-known/openid-configuration

To locate your OIDC metadata:

  1. Determine the value of TENANT for your app.

    The value depends on the Supported account type that you selected in Register a New App above. For more information, see the Microsoft Documentation.

  2. If the TENANT value is the domain name or the GUID, then find those values as follows:

    1. Navigate to Azure Active Directory.
    2. Record the Tenant ID or the Primary domain shown.
    3. Use either value as TENANT in the metadata URL.

Set Up the OIDC Identity Provider in Single Sign‑On

Follow the steps below to set up an OIDC provider for Single Sign‑On:

  1. Follow steps in Add an OIDC Provider, using the option DISCOVER OIDC CONFIGURATION.

    Note: Azure Active Directory v1 might require the option MANUALLY ENTER OIDC CONFIGURATION.

  2. When selecting supported scopes, select at least openid and profile. For an explanation of what each scope means, see the Azure documentation.

    VMware recommends using scope profile so that Azure includes preferred_username in the ID token, as shown in the Azure documentation.

    Note: Azure Active Directory v1 only requires scope openid, although other scopes can be requested.

  3. Under Advanced Settings > Attribute Mappings (optional) > User Attributes, select user_name as the User Schema Attribute and enter preferred_username as the Attribute Name. This enables Single Sign‑On to identify the authenticated user.

    Note: Azure Active Directory v1 uses unique_name instead of preferred_username.

  4. (Optional) Configure additional attribute mappings.

  5. Click Create Identity Provider to save your settings.

  6. (Optional) Enable identity provider discovery for the service plan.