Skip to main content

Version: 3.2.16.5

Configure SSO with Microsoft Entra ID (Azure AD)

Microsoft Entra ID (formerly Azure AD) is Microsoft's cloud-based identity and access management service. It allows organizations to securely manage and authenticate users and devices, ensuring that the right individuals have the appropriate access to company resources. Microsoft Entra ID offers features such as single sign-on (SSO), multi-factor authentication (MFA), and integration with various third-party applications.

The guide will show you how to integrate API7 Enterprise with Microsoft Entra ID to implement SSO and configure the needed access controls.

Below is an interactive demo that provides a hands-on introduction to integrating Microsoft Entra ID with API7 Enterprise.

Prerequisite(s)

  1. Install API7 Enterprise.
  2. Have at least one gateway instance in your gateway group.
  3. Have an Azure account with an active subscription.

Configure Azure

Register an App

Log in to the Azure portal, go to Microsoft Entra ID, and select App registrations under the Manage dropdown to register a new app:

azure-ad-register-an-app

Fill out details for the app and click Register:

fill-out-new-app-info

Create an App Client Secret

Once the app is registered, select Certificates & secrets under the Manage dropdown to create a client secret:

create-app-client-secret

Fill out the client secret details and click Add:

fill-out-client-secret-details

The client secret should now be generated. Save the secret to a secure location so that you can refer to it later for API7 Enterprise configuration. Note that you can only view the secret once.

save-client-secret

Create an App Role

Select App roles under the Manage dropdown to create a new SuperAdmin app role. Fill out the role details and click Apply:

create-app-role

You should see the role created and enabled.

Assign the App Role to User

Select Enterprise applications under the Manage dropdown:

select-enterprise-applications

You should now be redirected to a page showing all apps. Select the app created earlier:

select-the-enterprise-app

You should now be redirected to the app overview page. Select Users and groups under the Manage dropdown and click Add user/group:

add-user-group

Select the appropriate IAM user to be allowed to sign into API7 Dashboard as the super admin and assign the SuperAdmin role created earlier. Click Assign:

assign-role-to-user

You should see the role assigned:

assigned-role

Configure API7

Log into the API7 Dashboard using an account with admin rights.

Add Login Option

Under Organization dropdown, click Settings, and select Add Login Option:

add-login-option

Fill out the Name, select OIDC as the provider, and populate Issuer and Client ID based on the app information:

fill-out-login-details

note

The issuer URL should not include /.well-known/openid-configuration.

The issuer can be found in Azure by clicking open Endpoints and copying the OpenID Connect metadata document:

dashboard-oidc-issuer-and-endpoint-in-azure

Continue to fill out the Client Secret previously saved:

dashboard-oidc-client-secret

as well as the rest of information:

dashboard-oidc-scopes-root-url-attributes-mapping

Once finished, click Add. You should see the login provider successfully provisioned.

Enable Role Mapping

Enable Role Mapping for the newly created login provider:

enable-role-mapping

Fill out the details and click Enable:

fill-out-role-mapping-details

The roles should now have been updated.

Update Callback URL

The callback URL is the address that the application redirects users to upon a successful authentication with Microsoft Entra ID.

Find the callback URL in the provider configuration:

dashboard-find-callback-url

In Azure portal, navigate to the app overview and click Add a Redirect URI:

azure-add-redirect-url

Click on the Authentication tab and click on Add a platform. Choose Web application type and enter the redirect URI:

add-a-platform-web

Verify SSO

Sign out from the API7 Dashboard and visit the login page again, you should now see an option to log in with Microsoft Entra ID:

login box with SSO option

You should now be able to sign in with your Microsoft account.

Additional Resources


API7.ai Logo

API Management for Modern Architectures with Edge, API Gateway, Kubernetes, and Service Mesh.

Product

API7 Cloud

SOC2 Type IIISO 27001HIPAAGDPRRed Herring

Copyright © APISEVEN Ltd. 2019 – 2024. Apache, Apache APISIX, APISIX, and associated open source project names are trademarks of the

Apache Software Foundation