Configuring Azure Active Directory as an OIDC Identity Provider
This topic describes how to integrate Azure Active Directory (Azure AD) as an identity provider for a Single Sign-On (SSO) service plan, by configuring OpenID Connect (OIDC) in both Pivotal Cloud Foundry (PCF) and Azure AD.
Follow the steps below to set up relying party in Azure AD.
Log in to your Azure account and navigate to Azure Active Directory > App registrations.
Select + to create a New application registration. A configuration pane appears.
Under Application type, select Web App/API and enter any Name and any Sign-on URI. You can optionally enter the full Auth Domain URL generated based on the Auth Domain setting you used when you created the service plan that you are integrating with Azure AD.
Use the search bar to find your application registration, and click on its listing in the search results.
Record the Application ID displayed on the screen. This will be the Relying Party OAuth Client ID.
Open the Keys tab to generate your Client Secret.
Enter any name for the description of the key and select the appropriate duration for your security requirements.
Click Save to generate your key value. This value is the Relying Party OAuth Client Secret. Record this value for future use.
Under Reply URLs, configure and save the URI of the form
AUTH_DOMAINis the Auth Domain setting you entered when you created the service plan that you are integrating with Azure AD.
ORIGIN_KEYis based on the Identity Provider Name you set in the SSO dashboard in Set Up OIDC Identity Provider in SSO as shown below. Do not use spaces or uppercase letters in this value. You might need to change this later.
Identify your Azure Tenant Name. One location you can use to help you identify this is the App ID URI which uses the form
For example, in the App ID URI
https://tenant.onmicrosoft.com/cj8472j2-d3d2-44b1-a2zf-ro5cd03f9584, the Azure Tenant Name is
Construct the URL for the OpenID Connect metadata endpoint by replacing
TENANT-NAMEwith your Azure Tenant Name in the following string:
Record these values for the next step, configuring your OpenID Connect identity provider in SSO.