Single Sign-On (SSO)

This guide will show you how to set up Single Sign-On (SSO) for your organization using Microsoft Entra ID (formerly known as Azure Active Directory). Other SSO providers work similarly, but the setup might differ.

Note: Single Sign-On (SSO) is available on any paid plan of Entropy Data.

Prerequisites

Know the hostname / domain of your application, e.g., datacontract-manager.example.com.

Create an app registration in Azure

Learn more in the official reference: https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app

1. Sign in to the Azure portal as at least a Cloud Application Administrator and go to Microsoft Entra ID.
2. Under Manage, select App registrations.
3. Select New registration.
4. Name: Entropy Data
5. Supported account types: Accounts in this organizational directory only (Single tenant)
6. Redirect URI:
   • Select a Platform: Web
   • URL: https://YOUR_HOSTNAME/login/oauth2/code/azuresso (replace YOUR_HOSTNAME with the host name of your instance)
7. Select Register.
8. Copy the Application (client) ID
9. To the right of Client credentials, select Add a certificate or secret.
10. Select + New client secret.
11. Enter an optional description, select an expiration, and then select Add.
12. Under Secret value, select the Copy to clipboard icon. Do it now, this value will not be displayed later.
13. Back on Overview, Select Endpoints at the top of the page.
14. Find the OpenID Connect metadata document URL and copy the value before /.well-known/openid-configuration.
15. In the left side panel, under Manage, select Token configuration.
16. Select Add optional claim
17. Select Token type: ID
18. Select Claim: verified_primary_email
19. Select Add.
20. In the left side panel, under Manage, select Branding & properties.
21. Upload a logo and check all properties
22. Check the Publisher domain

You should now have these values, we will need them to configure the application:

Configure the application

Add the following environment variables to your application with the values from above:

SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_AZURE_ISSUER_URI=https://login.microsoftonline.com/cc62cfd7-babf-43fa-89c8-000000000000/v2.0 # The OpenID Connect metadata document (without the /.well-known/openid-configuration ending)
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_AZURESSO_CLIENT_ID=cfe06d6f-787f-48df-b5f9-000000000000 # The Application (client) ID
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_AZURESSO_CLIENT_SECRET=Gye8Qxxxxxxxxxxxxxxxxxxxxxxx # The Secret Value
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_AZURESSO_PROVIDER=azure
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_AZURESSO_AUTHORIZATION_GRANT_TYPE=authorization_code
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_AZURESSO_REDIRECT_URI={baseUrl}/{action}/oauth2/code/{registrationId}
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_AZURESSO_CLIENT_AUTHENTICATION_METHOD=client_secret_basic
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_AZURESSO_SCOPE=openid,profile,email

# if you use azure
APPLICATION_SSO_AZURE_HOSTS=entropydata.example.com

Restart the application and check the logs.

When you open the application, you should now be redirected to the Microsoft Entra ID login page.

What if I am not using Entra ID, but Okta or similar instead?

Any OpenID Connect (OIDC) provider can be used for SSO. This section walks through Okta as an alternative to Microsoft Entra ID, but the same approach applies to other OIDC providers (e.g., Keycloak, Auth0, Google Workspace, Ping Identity) — only the provider-specific app setup and the issuer URI differ. The same AZURESSO and APPLICATION_SSO_AZURE_HOSTS environment variables are used — the azure naming is historical.

Create an app integration in Okta

Learn more in the official reference: https://help.okta.com/oie/en-us/content/topics/apps/apps-overview-add-apps.htm

1. Sign in to your Okta admin console.
2. Go to Applications > Applications, then select Create App Integration.
3. Sign-in method: OIDC - OpenID Connect
4. Application type: Web Application
5. App integration name: Entropy Data
6. Grant type: Authorization Code
7. Sign-in redirect URIs: https://your-org.example.com/login/oauth2/code/azuresso (replace your-org.example.com with the host name of your instance)
8. Controlled access: assign the application to the users or groups who should have access.
9. Click Save.
10. On the General tab, copy the Client ID and Client secret.
11. Note your Okta domain (e.g., https://your-org.okta.com). This is the issuer URI.

You should now have these values, we will need them to configure the application:

Configure the application

Add the following environment variables to your application with the values from above:

SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_AZURE_ISSUER_URI=https://your-org.okta.com # The Okta domain (issuer URI)
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_AZURESSO_CLIENT_ID=0oa1abuqipcmZsCds1t8 # The Client ID
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_AZURESSO_CLIENT_SECRET=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx # The Client Secret
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_AZURESSO_PROVIDER=azure
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_AZURESSO_AUTHORIZATION_GRANT_TYPE=authorization_code
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_AZURESSO_REDIRECT_URI={baseUrl}/{action}/oauth2/code/{registrationId}
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_AZURESSO_CLIENT_AUTHENTICATION_METHOD=client_secret_basic
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_AZURESSO_SCOPE=openid,profile,email

APPLICATION_SSO_AZURE_HOSTS=your-org.example.com

Restart the application and check the logs.

When you open the application, you should now be redirected to the Okta login page.

Configure the organization

In the Admin Console, go to Organizations, select your organization, and update:

• SSO Issuer: azuresso
• SSO Tenant: the tenant ID of your Microsoft Entra ID directory
• SSO Auto Join: enable this to automatically add any new SSO user to this organization on their first login. Not necessary if you use SCIM for user provisioning.