Single Sign-On with Microsoft Entra ID
Last updated
Was this helpful?
Connectware 1.11.0
Last updated
Was this helpful?
You can configure Microsoft Entra ID (formerly Azure Active Directory) as the identity provider for single sign-on in Connectware.
In order to set up single sign-on with Entra ID, you must complete the following tasks:
Configure Entra ID in the Microsoft Entra admin center for Connectware authentication.
Update the Connectware configuration with the Entra ID information.
Kubernetes: Modify the values.yaml file.
Docker: Modify the .env file.
Configure Connectware to use Entra ID as the identity provider.
For more information on Microsoft Entra, see the .
License: Connectware Enterprise license required. For more information, see .
Microsoft Entra admin center: Access to the Microsoft Entra admin center ().
Configuration: Access to the Connectware configuration file.
Kubernetes: Modify the values.yaml file.
Docker: Modify the .env file.
When configuring Entra ID, you will obtain the following information that you must note down for configuring the Entra ID setup in Connectware at a later stage of the setup procedure.
Application (client) ID
The application (client) ID in Entra ID is a unique identifier that is assigned to Connectware when you register it in Entra ID. It is used to identify Connectware to Entra ID when users sign in.
Directory (tenant) ID
The directory (tenant) ID in Entra ID is a unique identifier that represents your organization's directory instance.
Client secret
The client secret in Entra ID is a confidential key that Connectware uses together with the Application (client) ID to authenticate itself with Entra ID when requesting tokens.
Redirect URI
A URI (Uniform Resource Identifier) that specifies the Connectware URL that users will be redirected to after authenticating with Entra ID. When configuring Connectware for Entra, you'll set this URI via the callBackDomain parameter (Kubernetes) or the CYBUS_MS_ENTRA_ID_CALLBACK_DOMAINparameter (Docker).
Configure the following environment variables to enable Entra ID authentication. Parameters differ between Kubernetes and Docker deployments.
global.authentication.entraId.enabled
If set to true, Entra ID is enabled. If set to false, Entra ID is disabled.
Default: false
Schema type: boolean
Required
global.authentication.entraId.clientId
Your Application (client) ID as provided by Entra ID Schema type: string
Required
global.authentication.entraId.tenantId
Your Directory (tenant) ID as provided by Entra ID Schema type: string
Required
global.authentication.entraId.clientSecret
Confidential key (in plain text) for authenticating with Entra ID. clientSecret is ignored if existingClientSecret is defined.
Schema type: string
Required*
global.authentication.entraId.existingClientSecret
Name of an existing Kubernetes secret containing the client secret Schema type: string
Required*
global.authentication.entraId.callbackDomain
Specifies the Connectware URL that users will be redirected to after authenticating with their Entra ID credentials Schema type: string
Required
global.authentication.entraId.issuerUrl
Identity provider's token issuing URL Schema type: string
Optional
global.authentication.entraId.usernameMappingField
User attribute to use as username. If not set, the default value is used.
Default: preferred_username
Allowed values:name , oid, preferred_username
Schema type: string
Optional
* You must provide either clientSecret or existingClientSecret. For enhanced security, use existingClientSecret instead of clientSecret.
When authenticating users, you must configure a redirect URI for Microsoft Entra authorization. This redirect URI serves as a critical security mechanism that ensures authentication codes and tokens reach only their intended destination.
A redirect URI (or response URL) specifies where Microsoft Entra will send users after authenticating with their Entra ID credentials.. For Connectware, the redirect URI must point to the endpoint where your Connectware instance is running.
This section guides you through the required configuration steps in the Microsoft Entra admin center.
You must define a redirect URI (Uniform Resource Identifier). This is the Connectware URL that users will be redirected to after authenticating with their Entra ID credentials. When configuring Connectware for Entra ID in a later step, you will need to enter the redirect URI as the value for the callBackDomain parameter (Kubernetes) or the CYBUS_MS_ENTRA_ID_CALLBACK_DOMAIN parameter (Docker).
Click Authentication.
In the Platform configurations section, click Add platform.
In the Configure platforms section, click Web.
In the Redirect URIs field, enter your redirect URI. This is the Connectware URL that users will be redirected to after authenticating with their Entra ID credentials.
Click Configure.
In the Implicit grant and hybrid flows section, activate ID tokens (used for implicit and hybrid flows).
Click Save.
Credentials enable confidential applications to identify themselves to the authentication service when receiving tokens at a web addressable location.
Click Certificates & secrets.
In the Client secrets section, click New client secret.
In the Add a client secret section, enter a description and the expiration time period.
Click Add.
Note down the client secret key displayed in the Value column.
After initial setup, you cannot see the client secret key. If you did not record the client secret key, you must generate a new one.
You must configure optional claims in Entra ID. Optional claims are used to configure additional information which is returned in one or more tokens.
Click Token configuration.
In the Optional claims section, click Add groups claim.
In the Select group types section, select your group type. We suggest to use Security groups.
In the Customize token properties by type section, click ID and select Group ID.
Click Add.
This section shows you how to update your Connectware configuration files to integrate with Entra ID.
To use Entra ID with a new Connectware installation or with your existing Connectware setup, you must update your Connectware configuration file. The update procedure depends on your current installation method.
If you're running Connectware on Docker, you must update your .env file.
If you're running Connectware on Kubernetes, you must update your values.yaml file.
Open the values.yaml file.
You must provide either clientSecret or existingClientSecret. For enhanced security, use existingClientSecret instead of clientSecret.
Optional: Customize the username mapping field via the following Helm value:
After configuring your values.yaml file, deploy or update Connectware using the following command:
This section explains how to configure user group permissions through the Connectware admin UI.
In order to use user groups with Entra ID, you must create user groups in the Microsoft Entra admin center that match their intended Connectware roles. These groups enable role synchronization between Entra ID and Connectware, ensuring users have appropriate permissions when accessing the system.
You can create flexible mappings between Entra ID groups and Connectware roles through a many-to-many relationship:
You can assign a single Entra ID group to multiple Connectware roles
You can link a single Connectware role to multiple Entra ID groups
Example: For Connectware, you want to give your IT department admin permissions and your engineering department restricted permissions. In Entra ID, you have defined the groups it and engineering. In Connectware, you then assign the it ID to the connectware-admin role and the engineering ID to the minimum-access role. Now, when someone from the IT department logs into Connectware, the Connectware admin permissions are granted. If someone from engineering logs into Connectware, minimum access permissions are granted.
You can create new groups in Entra ID for each Connectware role that you need. Changes in Entra ID group membership are reflected in Connectware upon next user login.
In the Microsoft Entra admin center, select Identity > Groups > Overview.
Click New group.
Enter a Group type, Group name, and Membership type.
Click Create.
Repeat these steps for each group that you need to create for your Connectware roles.
In Connectware, click User on the navigation panel.
Select the Roles tab.
Click the role that you want to synchronize with an Entra ID group.
In the Edit Role dialog, enter the ID of the Entra ID group in the ObjectID of Entra field and press Enter. To link multiple Entra ID groups to a role, enter the group IDs of the Entra ID groups as a comma-separated list without spaces. Example: id-1,id-2,id-3
Click Update.
To log in with your Entra ID login, click Sign in with Entra ID on the Connectware login screen.
is not available when using Entra ID as your authentication provider.
Go to the Microsoft Entra admin center () and log in.
In the Overview section, note down the following values. You will need these values for configuring your Connectware setup. For more information, see .
During the following update procedure, you need to enter the that you have noted down during the in the Microsoft Entra admin center.
Now you must configure the helm file to enable Entra ID. For this, you need the that were provided when .
Configure the following helm values to enable and configure Entra ID. For a list of all Kubernetes Entra ID parameters, see :
Now you must configure the .env file to enable Entra ID. For this you need the that were provided when .
Configure the following environment variables to enable and configure Entra ID. Make sure that you have encoded your client secret as base64. For a list of all Docker Entra ID parameters, see :
For a list of all environment variables for Docker Compose, see .
If you already have existing groups in Entra ID that you want to use with Connectware, you can skip this section and proceed to .
After is complete, you can access Connectware using your Entra ID credentials.
Besides configuring Entra ID via the Connectware UI, you can also configure Entra ID in Connectware via the Connectware API. For more information, see the for user management configurations.
