mirror of https://github.com/nocodb/nocodb
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
76 lines
3.8 KiB
76 lines
3.8 KiB
9 months ago
|
---
|
||
9 months ago
|
title: 'Azure AD (Entra)'
|
||
9 months ago
|
description: 'Learn how to configure Azure AD as an identity provider for NocoDB.'
|
||
|
tags: ['SSO', 'Azure AD', 'OIDC']
|
||
|
keywords: ['SSO', 'Azure AD', 'OIDC', 'Authentication', 'Identity Provider']
|
||
|
---
|
||
|
|
||
|
This article briefs about the steps to configure Azure AD as Identity service provider for NocoDB
|
||
|
|
||
9 months ago
|
### NocoDB, Retrieve `Redirect URL`
|
||
|
1. Go to `Account Settings`
|
||
|
2. Select `Authentication (SSO)`
|
||
|
3. Click on `New Provider` button
|
||
|
4. On the Popup modal, Specify a `Display name` for the provider; note that, this name will be used to display the provider on the login page
|
||
|
5. Retrieve `Redirect URL`; this information will be required to be configured later with the Identity Provider
|
||
|
|
||
|
![OIDC SSO Configuration](/img/v2/account-settings/SSO-1.png)
|
||
|
![OIDC SSO Configuration](/img/v2/account-settings/OIDC-2.png)
|
||
|
![OIDC SSO Configuration](/img/v2/account-settings/OIDC-3.png)
|
||
|
|
||
|
|
||
|
### Azure AD, Configure NocoDB as an Application
|
||
|
1. Sign in to your [Azure account](https://portal.azure.com/#allservices) and navigate to `Azure Active Directory` under `Azure Services`.
|
||
|
2. Access `Manage Tenants` from the navigation bar, select your directory, and click `Switch`.
|
||
|
3. On your directory's homepage, click `+ Add` > `App Registration` from the navigation bar.
|
||
|
4. On the `Register an application` page,
|
||
9 months ago
|
- Provide your application's name.
|
||
|
- Set `Accounts in this organizational directory only` as the `Supported account types`.
|
||
|
- Choose `Web` as the Application type
|
||
|
- Add the `Redirect URL` under `Redirect URIs`.
|
||
|
- `Register`
|
||
9 months ago
|
5. On your application's homepage,
|
||
9 months ago
|
- Copy the `Application (client) ID`
|
||
|
- Click `Add a certificate or secret` under `Client credentials` section
|
||
|
- On `Certificates & secrets` page, go to `Client secrets` section
|
||
|
- Click `New client secret`
|
||
|
- On `Add a client secret` page,
|
||
|
- Add a description for the secret
|
||
|
- Set expiration as required
|
||
|
- `Add`
|
||
|
- Copy the `Value` of the newly created secret
|
||
9 months ago
|
6. On your application's homepage,
|
||
9 months ago
|
- Go to `Endpoints` tab
|
||
|
- Open `OpenID Connect metadata document` URL & copy `authorization_endpoint`, `token_endpoint`, `userinfo_endpoint` & `jwks_uri` from the JSON response
|
||
9 months ago
|
7. Configuring scopes
|
||
9 months ago
|
- Go to `API permissions` tab
|
||
|
- Click `Add a permission`
|
||
|
- On `Request API permissions` page,
|
||
|
- Select `Microsoft Graph` from `Microsoft APIs`
|
||
|
- Select `Delegated permissions`
|
||
|
- Select `openid` `profile` `email` `offline_access` from `Select permissions` dropdown
|
||
|
- From `Users` dropdown, select `User.Read`
|
||
|
- `Add permissions`
|
||
|
- Click `Grant admin consent for this directory` from the `API permissions` page
|
||
9 months ago
|
|
||
|
|
||
|
### NocoDB, Configure Azure AD as an Identity Provider
|
||
|
On NocoDB, open `Account Settings` > `Authentication` > `OIDC`. On the "Register OIDC Identity Provider" modal, insert the following information:
|
||
9 months ago
|
- Insert `Application (client) ID` retrieved in step (7) above as `Client ID`
|
||
|
- Insert `Value` of the newly created secret retrieved in step (7) above as `Client Secret`
|
||
|
- Insert `authorization_endpoint` retrieved in step (8) above as `Authorization URL`
|
||
|
- Insert `token_endpoint` retrieved in step (8) above as `Token URL`
|
||
|
- Insert `userinfo_endpoint` retrieved in step (8) above as `Userinfo URL`
|
||
|
- Insert `jwks_uri` retrieved in step (8) above as `JWK Set URL`
|
||
|
- Set `Scope` as `openid` `profile` `email` `offline_access`
|
||
|
|
||
9 months ago
|
For Sign-in's, user should be able to now see `Sign in with <SSO>` option.
|
||
|
|
||
|
![SAML SSO Configuration](/img/v2/account-settings/SSO-SignIn.png)
|
||
|
|
||
9 months ago
|
|
||
|
:::note
|
||
|
Post sign-out, refresh page (for the first time) if you do not see `Sign in with <SSO>` option
|
||
|
:::
|
||
|
|
||
|
For information about Azure AD API Scopes, refer [here](https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#offline_access)
|