Skip to main content
Version: Next

Single Sign On authentication

AWE security

Single sign On

In AWE applications you can use SSO authentication method. This feature allows a user to utilize a single account to access different apps (user name and password).

Azure EntraID

AWE provide Azure oauth2 authentication service integration using native spring-cloud-azure-starter-active-directory. Uses the Spring Boot Starter for Microsoft Entra ID enables you to connect your web application to a Microsoft Entra tenant and protect your resource server with Microsoft Entra ID. It uses the Oauth 2.0 protocol to protect web applications and resource servers.

Azure Entra ID
Azure Entra ID

To enable Azure oauth2 active directory, you have to add spring-cloud-azure starter and configure your organization tenantId and application ID and secret.

Add dependency
    <dependency>
      <groupId>com.azure.spring</groupId>
      <artifactId>spring-cloud-azure-starter-active-directory</artifactId>
    </dependency>
Configure azure EntraID properties
# Enable related features.
spring.cloud.azure.active-directory.enabled=true
# Specifies your Active Directory ID:
spring.cloud.azure.active-directory.profile.tenant-id={CONFIGURE YOUR TENANT ID}
# Specifies your App Registration's Application ID:
spring.cloud.azure.active-directory.credential.client-id={CONFIGURE YOUR CLIENT ID}
# Specifies your App Registration's secret key:
spring.cloud.azure.active-directory.credential.client-secret={CONFIGURE YOUR SECRET KEY}
You can visit this for more info.

By default, if the user logged in the application with this doesn't exist in database, it will be provisioned by registering it by adding a new record in the user table. If you do not want this behavior, you can disable it setting false the configuration property awe.security.auto-provision-use.

Keycloak new client 2

Configure the client by setting the Root URL, Web origins, Admin URL to the hostname (https://{hostname}).

Also you can set Home URL to /applications path and Valid Post logout redirect URIs to "https://{hostname}/applications".

The Valid Redirect URIs should be set to https://{hostname}/auth/callback (you can also set the less secure https://{hostname}/* for testing/development purposes, but it's not recommended in production).

Keycloak new client 3

Make sure to click Save.

There should be a tab called Credentials. You can copy the Client Secret that we'll use in our app configuration.

Keycloak new client 4

The following configuration properties need to be added in order to integrate an AWE application with the Keycloak server

Configure keycloak oauth client properties
################################################
# SSO login
################################################
# Enable AWE SSO
awe.security.sso.enabled=true
# Auto launch sso flow (skip native window sign in)
awe.security.sso.auto-launch=true
# Oauth provider name
spring.security.oauth2.client.registration.keycloak.provider=[PROVIDER_NAME]
# Provider issuer uri
spring.security.oauth2.client.provider.awe.issuer-uri=[PROVIDER_URI]
# Authorization grant type for login
spring.security.oauth2.client.registration.keycloak.authorization-grant-type=authorization_code
# Client Id
spring.security.oauth2.client.registration.keycloak.client-id=[CLIENT_ID]
# Client Secret
spring.security.oauth2.client.registration.keycloak.client-secret=[CLIENT_SECRET]
# Scope request
spring.security.oauth2.client.registration.keycloak.scope=openid

Add identity providers

You can integrate others identity provider to use in your authentication process. In this guide, we use Azure EntraID as example.

Keycloak new client 5

In the detail page, fill out the details as required below:

  • Enter the alias of your choice. Enable use discovery endpoint, if not already enabled
  • Input the Discovery URL from Azure (copied before) into the Discovery endpoint
Keycloak new client 6
  • Input the Client ID. This is the application (client) ID copied from Azure app registration.
  • Input Client Secret. This is the application secret copied from Azure app registration
Keycloak new client 7

Mappers

When configuring roles/groups, the process is a bit more tedious since the claims used for this are not standard. Each provider uses a different method.

In order to collect the information sent to us by the provider, we will have to create some mappers that retrieve the information and translate it into the keycloak environment.

  • Group mappers

By default, Azure EntraID does not display the groups associated with each user. In order to retrieve the groups to which a user belongs, it is necessary to configure Azure to send a custom claim groups with token type ClientID.

Keycloak new client 8

Then, you have to create a new mapper for identity provider to map user group objectId to keycloak role.

Keycloak new client 9
  • App role mappers

In order to retrieve the app roles of an application registered in Azure EntraID, it is necessary to create an advanced claim custom role mapper that maps the claim role key with the name of application role in Azure with the keycloak role.

Keycloak new client 10