Steps to configure Azure AD SSO using SPA with Public Client
Step 1: Register an Application in the Azure AD Portal
- Log into the Azure Portal.
- Navigate to Azure Active Directory > App registrations > New registration.
- Enter the following details to create an application:
- Name:
<Application name>
- Account types: Select single/multi-tenant account types.
- Redirect URI: Select the platform as SPA from the dropdown.
- Click Register.
Step 2: Configure Application for PKCE with SPA
- After the application is registered, note the Application’s Client Id and Directory (Tenant Id).
- Click the Redirect URIs link to navigate to the platform configurations page.
- Click Add a platform and select Single-page-application under the Web applications.
- Enter the redirect URI of the application. Example:
https://developer.apisec.ai/azureSPA.html
- Click Configure and save the platform configurations.
Step 3: Enter the Homepage URL
- Click Branding and properties under the Manage section.
- Enter the Homepage URL:
https://{environment}.apisec.ai/?cid=client_id&tid=tenant_id
- Example:
https://developer.apisec.ai/?cid=ff81da46-e7af-4fd0-8777-000000000000&tid=00000000-708d-4303-8cdc-385dce520000
- Click Save.
Step 4: Generate a Client Secret (Optional for SPA)
- Under the Manage section, click Certificates & secrets.
- Click New client secret.
- Enter description and expiry.
- Click Add.
- Copy the Client Secret value.
- Note: Generating client secret code is optional for SPA
Step 5: Create and Assign App Roles
- Click App roles under the Manage section.
- Enter a display name such as “Admin”.
- Select Users/Groups under Allowed member types.
- Enter Value and Description.
- Check the box Do you want to enable this role?.
- Click Apply.
Step 6: Assign Users/Groups with the Enterprise Application
- Navigate to the Enterprise Application from the home page.
- Search and select the application registered in Step 1.
- Click Assign users and groups link on the Overview page.
- Click Add user/group.
- Select the users.
- Select Roles & click Assign.
Step 6.2: Create & Assign Groups with the Application
- Go to the Home Overview page.
- Under Manage, click Groups.
- Click New group & fill in the details:
- Select Group type as Security.
- Enter Group name.
- Enter Membership type as Assigned.
- In Members under the Users list, select the users & click Select.
- Click Create to successfully add members to that specific group.
Step 7: Assign Permissions for the Group's Resource
Note: AD Groups support require the following configurations.
Step 7.1: Assign Delegated Permissions
- Go to Application registrations page & select the registered app.
- Under Manage, click API Permissions.
- Click Add a permission.
- Under Microsoft APIs, click Microsoft Graph.
- Click Delegated permissions & search for Group under the Select permissions search field.
- Expand Group & check the boxes.
- Click Add permissions.
Step 7.2: Assign Application Permissions
- Follow the same steps as mentioned in Step 7.1.
- Note: Under Microsoft Graph, click Application permissions.
Step 7.3: Assign Groups with the Enterprise Application
- Navigate to the Enterprise Application from the home page.
- Search and select the application registered in Step 1.
- Click Assign users and groups link on the Overview page.
- Click Add user group.
- Select Group & click Assign.
Step 8: Publish Application
- Click Properties under the Manage section.
- Click the toggle to enable Visible to users?.
- Click Apply changes.
Step 9: Configure SSO in APIsec
- Login to the APIsec application.
- Click on Configuration from the APIsec dashboard.
- Click on SSO and select SSO type as Azure from the dropdown.
- Enter the secret code copied from Step 4.
- Enter the Client Id and Tenant Id copied from Step 2.
- Click the toggle to Activate.
- Click Save.
Step 10: Confirm Login with SSO using OAuth2.0 - PKCE with Confidential Client
- Launch the URL
https://myapps.microsoft.com/
and select the registered application which redirects the user to the APIsec application dashboard. - Alternatively, the users may use the redirect link for the SP-initiated flow.