Set up single sign-on using Azure Active Directory for Spring Cloud Gateway and API Portal
This article applies to: ❌ Basic/Standard tier ✔️ Enterprise tier
This article shows you how to configure single sign-on (SSO) for Spring Cloud Gateway or API Portal using the Azure Active Directory (Azure AD) as an OpenID identify provider.
- An Enterprise tier instance with Spring Cloud Gateway or API portal enabled. For more information, see Quickstart: Build and deploy apps to Azure Spring Apps using the Enterprise tier.
- Sufficient permissions to manage Azure AD applications.
To enable SSO for Spring Cloud Gateway or API Portal, you need the following four properties configured:
|SSO Property||Azure AD Configuration|
|clientId||See Register App|
|clientSecret||See Create Client Secret|
|scope||See Configure Scope|
|issuerUri||See Generate Issuer URI|
You'll configure the properties in Azure AD in the following steps.
Assign an endpoint for Spring Cloud Gateway or API Portal
First, you must get the assigned public endpoint for Spring Cloud Gateway and API portal by following these steps:
- Open your Enterprise tier service instance in Azure portal.
- Select Spring Cloud Gateway or API portal under VMware Tanzu components in the left menu.
- Select Yes next to Assign endpoint.
- Copy the URL for use in the next section of this article.
Create an Azure AD application registration
Register your application to establish a trust relationship between your app and the Microsoft identity platform using the following steps:
- From the Home screen, select Azure Active Directory from the left menu.
- Select App Registrations under Manage, then select New registration.
- Enter a display name for your application under Name, then select an account type to register under Supported account types.
- In Redirect URI (optional) select Web, then enter the URL from the above section in the text box. The redirect URI is the location where Azure AD redirects your client and sends security tokens after authentication.
- Select Register to finish registering the application.
When registration finishes, you'll see the Application (client) ID on the Overview screen of the App registrations* page.
Add a redirect URI after app registration
You can also add redirect URIs after app registration by following these steps:
- From your application overview, under Manage in the left menu, select Authentication.
- Select Web, then select Add URI under Redirect URIs.
- Add a new redirect URI, then select Save.
For more information on Application Registration, see Quickstart: Register an app in the Microsoft identity platform .
Add a client secret
The application uses a client secret to authenticate itself in SSO workflow. You can add a client secret using the following steps:
- From your application overview, under Manage in the left menu, select Certificates & secrets.
- Select Client secrets, then select New client secret.
- Enter a description for the client secret, then set an expiration date.
- Select Add.
Remember to save the client secret in a secure place. You can't retrieve it after you leave this page. The client secret should be provided with the client ID when you sign in as the application.
scope property of SSO is a list of scopes to be included in JWT identity tokens. They're often referred to permissions. Identity platform supports several OpenID Connect scopes, such as
Configure issuer URI
The issuer URI is the URI that is asserted as its Issuer Identifier. For example, if the issuer-uri provided is
https://example.com, then an OpenID Provider Configuration Request will be made to
The issuer URI of Azure AD is like
<authentication-endpoint> with the authentication endpoint for your cloud environment (for example,
https://login.microsoftonline.com for global Azure), and replace
<Your-TenantID> with the Directory (tenant) ID where the application was registered.
After configuring your Azure AD application, you can set up the SSO properties of Spring Cloud Gateway or API Portal following these steps:
- Select Spring Cloud Gateway or API portal under VMware Tanzu components in the left menu, then select Configuration.
- Enter the
Client Secret, and
Issuer URIin the appropriate fields. Separate multiple scopes with a comma.
- Select Save to enable the SSO configuration.
After configuring SSO properties, remember to enable SSO for the Spring Cloud Gateway routes by setting
ssoEnabled=true. For more information, see route configuration.