Set up single sign-on using Microsoft Entra ID for Spring Cloud Gateway and API Portal

Note

The Basic, Standard, and Enterprise plans will be deprecated starting from mid-March, 2025, with a 3 year retirement period. We recommend transitioning to Azure Container Apps. For more information, see the Azure Spring Apps retirement announcement.

The Standard consumption and dedicated plan will be deprecated starting September 30, 2024, with a complete shutdown after six months. We recommend transitioning to Azure Container Apps. For more information, see Migrate Azure Spring Apps Standard consumption and dedicated plan to Azure Container Apps.

This article applies to: ❌ Basic/Standard ✔️ Enterprise

This article shows you how to configure single sign-on (SSO) for Spring Cloud Gateway or API Portal using the Microsoft Entra ID as an OpenID identify provider.

Prerequisites

• An Enterprise plan instance with Spring Cloud Gateway or API portal enabled. For more information, see Quickstart: Build and deploy apps to Azure Spring Apps using the Enterprise plan.
• Sufficient permissions to manage Microsoft Entra applications.

To enable SSO for Spring Cloud Gateway or API Portal, you need the following four properties configured:

SSO Property	Microsoft Entra Configuration
clientId	See Register App
clientSecret	See Create Client Secret
scope	See Configure Scope
issuerUri	See Generate Issuer URI

You'll configure the properties in Microsoft Entra ID in the following steps.

Assign an endpoint for Spring Cloud Gateway or API Portal

First, you must get the assigned public endpoint for Spring Cloud Gateway and API portal by following these steps:

1. Open your Enterprise plan service instance in the Azure portal.
2. Select Spring Cloud Gateway or API portal under VMware Tanzu components in the left menu.
3. Select Yes next to Assign endpoint.
4. Copy the URL for use in the next section of this article.

Create a Microsoft Entra application registration

Register your application to establish a trust relationship between your app and the Microsoft identity platform using the following steps:

1. From the Home screen, select Microsoft Entra ID from the left menu.
2. Select App Registrations under Manage, then select New registration.
3. Enter a display name for your application under Name, then select an account type to register under Supported account types.
4. In Redirect URI (optional) select Web, then enter the URL from the above section in the text box. The redirect URI is the location where Microsoft Entra ID redirects your client and sends security tokens after authentication.
5. Select Register to finish registering the application.

When registration finishes, you'll see the Application (client) ID on the Overview screen of the App registrations* page.

Add a redirect URI after app registration

You can also add redirect URIs after app registration by following these steps:

1. From your application overview, under Manage in the left menu, select Authentication.
2. Select Web, then select Add URI under Redirect URIs.
3. Add a new redirect URI, then select Save.

For more information on Application Registration, see Quickstart: Register an application with the Microsoft identity platform.

Add a client secret

The application uses a client secret to authenticate itself in SSO workflow. You can add a client secret using the following steps:

1. From your application overview, under Manage in the left menu, select Certificates & secrets.
2. Select Client secrets, then select New client secret.
3. Enter a description for the client secret, then set an expiration date.
4. Select Add.

Warning

Remember to save the client secret in a secure place. You can't retrieve it after you leave this page. The client secret should be provided with the client ID when you sign in as the application.

Configure scope

The scope property of SSO is a list of scopes to be included in JWT identity tokens. They're often referred to as permissions. Identity platform supports several OpenID Connect scopes, such as openid, email, and profile. For more information, see the OpenID Connect scopes section of Scopes and permissions in the Microsoft identity platform.

Configure issuer URI

The issuer URI is the URI that is asserted as its Issuer Identifier. For example, if the issuer-uri provided is https://example.com, then an OpenID Provider Configuration Request will be made to https://example.com/.well-known/openid-configuration.

The issuer URI of Microsoft Entra ID is like <authentication-endpoint>/<Your-TenantID>/v2.0. Replace <authentication-endpoint> with the authentication endpoint for your cloud environment (for example, https://login.microsoftonline.com for global Azure), and replace <Your-TenantID> with the Directory (tenant) ID where the application was registered.

Configure SSO

After configuring your Microsoft Entra application, you can set up the SSO properties of Spring Cloud Gateway or API Portal following these steps:

1. Select Spring Cloud Gateway or API portal under VMware Tanzu components in the left menu, then select Configuration.
2. Enter the Scope, Client Id, Client Secret, and Issuer URI in the appropriate fields. Separate multiple scopes with a comma.
3. Select Save to enable the SSO configuration.

Note

After configuring SSO properties, remember to enable SSO for the Spring Cloud Gateway routes by setting ssoEnabled=true. For more information, see route configuration.

Next steps

• Configure routes