Configuring Microsoft Entra ID (Azure) for OAuth2 Authentication

Since Version 10.14 of yuuvis® RAD the gateway microservice supports authentication with an OAuth2 Identity Provider like Azure Entra ID. This guide shows how to set up the necessary configuration for this to work:

  • Log in to the Azure Entra Admin Center (https://entra.microsoft.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade/quickStartType~/null/sourceType/Microsoft_AAD_IAM) with an administrative account.

  • If not already there, choose from the left menu “Identity” → “Applications” → “App registrations”.

    image-20241022-154151.png

  • Click on “New registration”.

  • On the new page, enter an arbitrary name for the App registration - for example “yuuvis RAD OAuth2”

  • Choose the Account type - the default / first selection is ok if you plan to authenticate only with users of this Entra ID tenant. Otherwise, choose one of the other options.

  • At the menu “Redirect URI” choose “Web” and enter the URL to the yuuvis RAD gateway (instance) that you want to use with OAuth2, postfixed with “/login/oauth2/code/azure” - for example, https://yuuvis.mycompany.com/login/oauth2/code/azure.

  • Click on register.

    image-20241022-171430.png

  • The overview page of the new app registration is shown. Save the “Application (client) id” and the “Directory (tenant) id” for later use.

  • Also, save the “issuer URI” https://login.microsoftonline.com/<Directory (tenant) id>/v2.0 for later use. Replace <Directory (tenant) id> with the ID saved in the previous step.

  • Click on the left menu entry “Certificates and secrets” and click on “New client secret”.

  • In the new dialog enter an arbitrary name for the secret - for example, “yuuvis RAD OAuth2 Client Secret” - and choose an expiry interval. Then click add.

  • Save the value of the newly created secret for later use.
    (Attention: You can only copy the value now. Later, it will be hidden and you cannot access it anymore.)

  • Click on the left menu entry “Authentication”.

  • If you have multiple addresses for the yuuvis RAD gateway you can (optionally) add these URIs to the list of Redirect URIs now - always postfix with “/login/oauth2/code/azure”.

  • Under the “Front-Channel Logout URL” title, enter the URL to the logout endpoint of the Gateway - this is per Default “/logout” - so the URL would exemplarily be https://yuuvisrad.optimal-systems.de/logout .

  • Tick the “ID tokens (used for implicit and hybrid flows)” checkbox.

  • Click on Save.

  • Finished.

  • Proceed with the gateway configuration - you will need the issuer-URI, the client id (Application (client) id), and the client secret (the value of the created secret).