SSO OpenId Connect with Azure AD / Entra
Setting up single sign-on to AudioEye using Azure's Active directory and Microsoft Entra.
Intended audience: IT Systems Administrators
This article walks you through setting up single sign-on to AudioEye using Azure's Active directory and Microsoft Entra.
Configuring SSO with AudioEye requires you to provide three pieces of information from Azure:
- Application ID
- Client Secret
- OpenID Connect URL
- This guide will show you how to set up in Azure's Active Directory and obtain the information you need to provide to AudioEye.
Please Note: This guide assumes that:
- The client will configure their SSO to use a single tenancy – Default Directory only - Single tenant
- Users managed by the client will have their email set under their profiles. This is editable in the Entra ID portal. If this is not the case, AudioEye will not be able to resolve the user’s email and will automatically generate a fake email address.
Step 1: Register AudioEye as a Web App with Azure
- Log into Microsoft Azure.
- Navigate to Microsoft Entra ID.
- Navigate to App registrations under the Manage section of the size menu.
- Click/activate the New registration button to open the registration form.
- Enter a display Name for your application. Note: Users of the application may see the display name when they use the app, for example during sign-in.
- Specify who can use the application, selecting the Accounts in this organizational directory only option.
- Under Redirect URI:
- Select Web as the option in the first dropdown field.
- Enter https://auth.audioeye.com/oauth2/idpresponse for the redirect URI value.
- Click/activate the Register button to create the app.
Once Azure has created the app, you'll be redirected to the app Overview page. Do not navigate away - next steps will proceed from here.
Step 2: Configure the Application & Create a Client Secret
- In the side menu, under the Manage section, navigate to Authentication.
- Find the Front-channel logout URL text field.
- Enter https://portal.audioeye.com/logout.
- Click/activate Save.
- Next, navigate to Certificates & secrets, also under manage in the side menu navigation.
- Click/activate the Client secrets tab.
- Click/activate the + New client secret button.
- Add a description for your client secret.
- Select an expiration for the secret or specify a custom lifetime.
- Click/activate Add. Do not navigate away from the next screen.
- Azure will now display the secrets listing page, and you should see the newly created secret displayed. Do not navigate away. You will need to copy the secret, and it will disappear forever once you leave this page.
- Click/activate the Copy to clipboard button next to the Value record.
- Save this value in a text editor. This value will need to be given to AudioEye after the process is complete.
Step 3: Grant the App API Permissions
- While still within the context of the view for the application you just created, click/activate the API permissions item in the Manage menu.
- Click/activate the + Add a permission button.
- Under Select an API click/activate the Microsoft Graph option.
- Click/activate Delegated Permissions.
- Under OpenId permissions check the email, openid, and profile items.
- Click/activate Add Permissions.
Step 4: Collect App information to send to AudioEye
At this stage the SSO configuration has been completely set up in Azure. Now AudioEye will need to complete up the configuration on our end, which requires some information from your SSO setup.
Use the steps below to retrieve the Application ID, Application Secret, OIDC URL and Domains and replace the values with your own in a test file that can be sent to your AudioEye account manager.
Application ID: Your-Application-ID
Application Secret: Your-Application-Secret
OIDC URL: https://login.microsoftonline.com/redacted/v2.0/.well-known/openid-configuration
Domains: my-domain.com, my-domain.org
- To retrieve the Application ID, while still in the view of the application you created, click/activate the Overview menu item below the search bar.
- The Application ID will be displayed as one of the properties. Use the copy to clipboard icon to copy/paste the application ID into the same text-editor you used to store the client secret.
- The Application ID will be displayed as one of the properties. Use the copy to clipboard icon to copy/paste the application ID into the same text-editor you used to store the client secret.
- To retrieve the OIDC URL, in the Overview screen (from the previous step) there is an Endpoints button to the right of the search bar. Click/activate that Endpoints button.
- Find the OpenID Connect metadata document URL and copy the link.
- Paste the link into the same text-editor you used to store the client secret and app id.
- Finally, copy the values you copied for the Application ID, Secret, and OpenID URL into a text file formatted as laid out above.
- Under domains, enter the email domains used for company accounts that you plan to give access to AudioEye. If you have more than one, specify them as a comma-separated list
- Once complete, save the file and send it to your AudioEye Account manager so that AudioEye can complete the SSO setup on our end.