Configure Azure Entra as an OpenID Provider

Register your app

  1. Sign in to the Microsoft Entra admin center.

  2. Browse to Applications > App registrations using the sidebar.

  3. Enter the name of your application, like spiffworkflow-backend.

  4. Under supported account types, you will likely want “Accounts in this organizational directory only”

  5. Skip the redirect URL. We will do that later.

  6. Click Register.

  7. In the new view, copy and note the following:

    • Application (client) ID. It is your Client ID.

    • Directory (tenant) ID. This is part of your server URL.

Configure your app

  1. Select Authentication from the sidebar.

  2. Under Platform configurations, select “+ Add a platform”

  3. In the pane that opens, select Web.

  4. Under Redirect URIs, add http://localhost:8000/v1.0/login_return

  5. Leave Front-chanel logout URL blank.

  6. Leave the checkboxes unchecked under Implicit grant and hybrid flows.

  7. Click Configure.

Add additional Redirect URLs

You will need to add more redirect URLs.

Follow these instructions for the following URL patterns:

  • https://<domainname>/v1.0/login_return

  1. Under Web > Redirect URIs, click Add URI.

  2. Type in the URL pattern.

Create a Client Secret

  1. Select Certificates & Secrets from the sidebar.

  2. Click + New client secret

  3. In the pane that opens, enter a description and expiration, then click Add.

  4. Copy the Value using the icon after the string and note this value. This is your Client Secret Key.

Add groups claim to the token

The basic steps are:

  1. Select Token configuration from the sidebar.

  2. Select Add groups claim.

  3. Select the group types to return (Security groups, or Directory roles, All groups, and/or Groups assigned to the application)

  4. Select Save.

For more information about these settings read the Microsoft documentation

Configure Spiff Workflow

Set the following environment variables on your SpiffWorkflow backend server to connect with your Azure Entra instance:

# OpenID Server URL
SPIFFWORKFLOW_BACKEND_OPEN_ID_SERVER_URL=https://login.microsoftonline.com/<YOUR_DIRECTORY_(TENANT)_ID>

# Client ID and Secret Key from Okta
SPIFFWORKFLOW_BACKEND_OPEN_ID_CLIENT_ID=<YOUR_CLIENT_ID>
SPIFFWORKFLOW_BACKEND_OPEN_ID_CLIENT_SECRET_KEY=<YOUR_CLIENT_SECRET_KEY>

# Additional valid issuers (don't forget the trailing slash)
SPIFFWORKFLOW_BACKEND_OPEN_ID_ADDITIONAL_VALID_ISSUERS: "https://sts.windows.net/<YOUR_DIRECTORY_(TENANT)_ID>/"

# OpenID Scopes (includes groups)
SPIFFWORKFLOW_BACKEND_OPENID_SCOPE="openid profile email groups"

# Allow OpenID Provider to manage user groups
SPIFFWORKFLOW_BACKEND_OPEN_ID_IS_AUTHORITY_FOR_USER_GROUPS: true