Azure Active Directory (OpenId Connect)

Owned by Karl Henselin
Last updated: Feb 24, 2023
2 min read

 

Microsoft has at times indicated that the Azure Graph services will be retired. This implementation uses them. Consider using Azure AD SAML 2.0 SSO instead.

Replace capitalized text with appropriate values.

  • APPLICATION(CLIENT)ID

  • CLIENTSECRET

  • DIRECTORY(TENANT)ID

  • FLEXDEPLOYHOST

  • FLEXDEPLOYPORT

Example fdsso.config file for Azure Active Directory

Change log

  • FlexDeploy 6.0.0.1 - (Optional) AzureAdClient should now be replaced with FlexAzureAdClient to opt in to using User avatars from Azure AD.

    • This includes updates to azureAdClient, ssoFilter.clients in the sso config and the web redirect uri on the Azure application.

  • FlexDeploy 6.0.0.0 - The values for callbackFilter.defaultUrl, excludedPathMatcher.excludedPath and logout.defaultUrl have changed

callbackFilter.defaultUrl = /flexdeploy/next/#/home oidcConfig = org.pac4j.oidc.config.AzureAdOidcConfiguration oidcConfig.clientId = APPLICATION(CLIENT)IDe oidcConfig.secret = CLIENTSECRET oidcConfig.discoveryURI = https://login.microsoftonline.com/DIRECTORY(TENANT)ID/.well-known/openid-configuration oidcConfig.useNonce = true oidcConfig.tenant = DIRECTORY(TENANT)ID azureAdClient = org.pac4j.oidc.client.FlexAzureAdClient azureAdClient.configuration = $oidcConfig clients.callbackUrl = https://FLEXDEPLOYHOST:FLEXDEPLOYPORT/flexdeploy/callback clients.clients = $azureAdClient isAuthenticatedAdmin = org.pac4j.core.authorization.authorizer.IsAuthenticatedAuthorizer excludedPathMatcher = org.pac4j.core.matching.matcher.PathMatcher excludedPathMatcher.excludedPath = /next/#/login config.authorizers = admin:$isAuthenticatedAdmin config.matchers = excludedPath:$excludedPathMatcher ssoFilter = flexagon.fd.ui.security.FlexPac4jFilter ssoFilter.config = $config ssoFilter.clients = FlexAzureAdClient ssoFilter.matchers = nocache ssoFilter.authorizers = admin logout = io.buji.pac4j.filter.LogoutFilter logout.config = $config logout.localLogout = true logout.centralLogout = true logout.defaultUrl = https://FLEXDEPLOYHOST:FLEXDEPLOYPORT/flexdeploy/next/#/home

Register application in Azure Active Directory.

Capture Application (client) ID and Directory (tenant) ID from App Registration.

Create and capture client secret.

Here is how URL values are configured on Azure App Registration.

The following macros are not currently supported in the footer:
  • style