diff --git a/packages/noco-docs/docs/140.account-settings/040.authentication/040.OIDC-SSO/040.azure-ad.md b/packages/noco-docs/docs/140.account-settings/040.authentication/040.OIDC-SSO/040.azure-ad.md index e69de29bb2..18a652a18b 100644 --- a/packages/noco-docs/docs/140.account-settings/040.authentication/040.OIDC-SSO/040.azure-ad.md +++ b/packages/noco-docs/docs/140.account-settings/040.authentication/040.OIDC-SSO/040.azure-ad.md @@ -0,0 +1,63 @@ +--- +title: 'Azure AD' +description: 'Learn how to configure Azure AD as an identity provider for NocoDB.' +tags: ['SSO', 'Azure AD', 'OIDC'] +keywords: ['SSO', 'Azure AD', 'OIDC', 'Authentication', 'Identity Provider'] +--- + +This article briefs about the steps to configure Azure AD as Identity service provider for NocoDB + +1. Enable `OIDC SSO` on NocoDB + - Go to `Account Settings` > `Authentication` + - Activate `OIDC` toggle button +2. Retrieve `Redirect URL` from NocoDB + - Go to `Account Settings` > `Authentication` > `OIDC` + - Note down `Redirect URL` ; these information will be required to be configured later with the Identity Provider +3. Sign in to your [Azure account](https://portal.azure.com/#allservices) and navigate to `Azure Active Directory` under `Azure Services`. +4. Access `Manage Tenants` from the navigation bar, select your directory, and click `Switch`. +5. On your directory's homepage, click `+ Add` > `App Registration` from the navigation bar. +6. On the `Register an application` page, + - Provide your application's name. + - Set `Accounts in this organizational directory only` as the `Supported account types`. + - Choose `Web` as the Application type + - Add the `Redirect URL` under `Redirect URIs`. + - `Register` +7. On your application's homepage, + - Copy the `Application (client) ID` + - Click `Add a certificate or secret` under `Client credentials` section + - On `Certificates & secrets` page, go to `Client secrets` section + - Click `New client secret` + - On `Add a client secret` page, + - Add a description for the secret + - Set expiration as required + - `Add` + - Copy the `Value` of the newly created secret +8. On your application's homepage, + - Go to `Endpoints` tab + - Open `OpenID Connect metadata document` URL & copy `authorization_endpoint`, `token_endpoint`, `userinfo_endpoint` & `jwks_uri` from the JSON response +9. Configuring scopes + - Go to `API permissions` tab + - Click `Add a permission` + - On `Request API permissions` page, + - Select `Microsoft Graph` from `Microsoft APIs` + - Select `Delegated permissions` + - Select `openid` `profile` `email` `offline_access` from `Select permissions` dropdown + - From `Users` dropdown, select `User.Read` + - `Add permissions` + - Click `Grant admin consent for this directory` from the `API permissions` page +10. On NocoDB, open `Account Settings` > `Authentication` > `OIDC` + - Insert `Application (client) ID` retrieved in step (7) above as `Client ID` + - Insert `Value` of the newly created secret retrieved in step (7) above as `Client Secret` + - Insert `authorization_endpoint` retrieved in step (8) above as `Authorization URL` + - Insert `token_endpoint` retrieved in step (8) above as `Token URL` + - Insert `userinfo_endpoint` retrieved in step (8) above as `Userinfo URL` + - Insert `jwks_uri` retrieved in step (8) above as `JWK Set URL` + - Set `Scope` as `openid` `profile` `email` `offline_access` + +- For Sign-in's, user should be able to now see `Sign in with ` option. + +:::note +Post sign-out, refresh page (for the first time) if you do not see `Sign in with ` option +::: + +For information about Azure AD API Scopes, refer [here](https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#offline_access) \ No newline at end of file