Edit

Set up single sign-on using Azure Active Directory for Spring Cloud Gateway and API Portal

  • Article
  • 3 minutes to read

This article applies to: ❌ Basic/Standard tier ✔️ Enterprise tier

This article shows you how to configure single sign-on (SSO) for Spring Cloud Gateway or API Portal using the Azure Active Directory (Azure AD) as an OpenID identify provider.

Prerequisites

To enable SSO for Spring Cloud Gateway or API Portal, you need the following four properties configured:

SSO Property Azure AD Configuration
clientId See Register App
clientSecret See Create Client Secret
scope See Configure Scope
issuerUri See Generate Issuer URI

You'll configure the properties in Azure AD in the following steps.

Assign an endpoint for Spring Cloud Gateway or API Portal

First, you must get the assigned public endpoint for Spring Cloud Gateway and API portal by following these steps:

  1. Open your Enterprise tier service instance in Azure portal.
  2. Select Spring Cloud Gateway or API portal under VMware Tanzu components in the left menu.
  3. Select Yes next to Assign endpoint.
  4. Copy the URL for use in the next section of this article.

Create an Azure AD application registration

Register your application to establish a trust relationship between your app and the Microsoft identity platform using the following steps:

  1. From the Home screen, select Azure Active Directory from the left menu.
  2. Select App Registrations under Manage, then select New registration.
  3. Enter a display name for your application under Name, then select an account type to register under Supported account types.
  4. In Redirect URI (optional) select Web, then enter the URL from the above section in the text box. The redirect URI is the location where Azure AD redirects your client and sends security tokens after authentication.
  5. Select Register to finish registering the application.

Screenshot of how to fill out the Add App Registration screen.

When registration finishes, you'll see the Application (client) ID on the Overview screen of the App registrations* page.

Add a redirect URI after app registration

You can also add redirect URIs after app registration by following these steps:

  1. From your application overview, under Manage in the left menu, select Authentication.
  2. Select Web, then select Add URI under Redirect URIs.
  3. Add a new redirect URI, then select Save.

Screenshot of adding a redirect U R I to the authentication screen.

For more information on Application Registration, see Quickstart: Register an app in the Microsoft identity platform .

Add a client secret

The application uses a client secret to authenticate itself in SSO workflow. You can add a client secret using the following steps:

  1. From your application overview, under Manage in the left menu, select Certificates & secrets.
  2. Select Client secrets, then select New client secret.
  3. Enter a description for the client secret, then set an expiration date.
  4. Select Add.

Warning

Remember to save the client secret in a secure place. You can't retrieve it after you leave this page. The client secret should be provided with the client ID when you sign in as the application.

Configure scope

The scope property of SSO is a list of scopes to be included in JWT identity tokens. They're often referred to permissions. Identity platform supports several OpenID Connect scopes, such as openid, email and profile.

Configure issuer URI

The issuer URI is the URI that is asserted as its Issuer Identifier. For example, if the issuer-uri provided is https://example.com, then an OpenID Provider Configuration Request will be made to https://example.com/.well-known/openid-configuration.

The issuer URI of Azure AD is like <authentication-endpoint>/<Your-TenantID>/v2.0. Replace <authentication-endpoint> with the authentication endpoint for your cloud environment (for example, https://login.microsoftonline.com for global Azure), and replace <Your-TenantID> with the Directory (tenant) ID where the application was registered.

Configure SSO

After configuring your Azure AD application, you can set up the SSO properties of Spring Cloud Gateway or API Portal following these steps:

  1. Select Spring Cloud Gateway or API portal under VMware Tanzu components in the left menu, then select Configuration.
  2. Enter the Scope, Client Id, Client Secret, and Issuer URI in the appropriate fields. Separate multiple scopes with a comma.
  3. Select Save to enable the SSO configuration.

Note

After configuring SSO properties, remember to enable SSO for the Spring Cloud Gateway routes by setting ssoEnabled=true. For more information, see route configuration.

Next steps