During the KeyHub installation you can configure SSO with Entra ID.
Select 'OIDC' as the directory type, give your directory a name, and select 'Microsoft Azure Active Directory' as the provider.
Next, the ‘client identifier’ and ‘client secret’ are required. These can be found in Azure.
To ensure that only users from your own Azure tenant can register an account in KeyHub, you need to set the domain restriction to your domain. This is the domain name after the @ in your user's email address. You can also find this domain in the Azure AD overview. Simply navigate to the menu item Custom domain names.
For example, for user@topicus-keyhub.com, you would use topicus-keyhub.com as the domain restriction.
If you leave this field blank, you will not be able to use the single-tenant option in Azure. For multiple domains, you need a paid subscription with Microsoft. This is beyond the scope of this guide.
Retrieving the Client ID
Go to the Azure Portal and search for "App registrations". This will display the overview of your App registrations.
For Single Sign-On with Topicus KeyHub, a new app registration is required. Click on the + symbol "New registration" to create a new application. The following screen will be displayed:
Select the single-tenant option under "Supported account types". The ‘Redirect URI’ consists of your public Azure-KeyHub URL combined with the path ‘/login/oidc’. In the configuration in this document, the ‘Sign-on URL’ is: ‘https://keyhub-azure.westeurope.cloudapp.azure.com/login/oidc’.
After providing this information, the ‘App registration’ can be created. Once created, the application ID will be available on the screen, which looks something like this:
Applying the Client ID
The application ID of the 'Azure app registration' is required in the corresponding configuration step in Topicus KeyHub and must be entered in the 'Client identifier' field.
Retrieving the Client Secret
For the final step of the SSO configuration, the client secret is required. This secret also needs to be generated by Azure AD in the app registration. Go to the “App registration” as created in the previous step and navigate to Settings, then “Certificates & secrets”. The screen should look something like this.
Here, a client secret can be generated. To do this, click on "New client secret".
Give your secret a name and select an expiration period. Click "Add". Copy the generated value for use in KeyHub.
The value is no longer available after you leave this screen!
This value must be entered as the “Client secret” in the Directory configuration screen in Topicus KeyHub.
This completes the installation and configuration of Topicus KeyHub on Azure.