Recipe
Published August 02, 2024

Integrate Azure AD with Liferay DXP Using OpenID Connect

While we make every effort to ensure this Recipe is accurate, it may not always reflect the most recent updates or official guidelines. We appreciate your understanding and encourage you to reach out with any feedback or concerns.

Introduction

This recipe guides you through the basic steps needed to integrate Azure AD (now known as Microsoft Entra ID), your Identity Provider (IdP), with your Liferay environment using OpenID Connect.

Prerequisites

  • Liferay DXP environment

  • A user with administrative access to Liferay's Control Panel

  • A Microsoft Azure account with permissions to administer Azure AD

  • At least one user created in your Azure AD account

Steps

  1. Log in to Azure portal.

  2. On the left sidebar menu, go to Microsoft Entra ID.

  3. Under Manage, go to App registrations.

  4. Click New registration at the top of the page to create a new application registration.

  5. Name your application as desired and select Accounts in this organizational directory only (yourAzureActiveDirectoryName only - Single tenant) for the Supported Account Type.

  6. Click Register.

  7. On your new application, click Authentication.

  8. Click Add a platform.

  9. On the Configure Platforms panel, select Web under Web Applications.

  10. Under Redirect URIs, add https://[your_web_server]/c/portal/login/openidconnect.

    This configures the identity platform to redirect the user to the given URL after authentication.

  11. Click Configure.

  12. On the left sidebar menu, go to Certificates & secrets and click the Client secrets tab.

  13. Click New client secret to create a new secret string.

  14. Add a description and an expiration time to your client secret.

  15. Take note of the client secret value for a future step. It won't be shown again after navigating away from the tab.

  16. On the left sidebar menu, go to API permissions and click Microsoft Graph.

  17. Select emailopenid, and profile permissions, then click Update permissions.

  18. On the page breadcrumbs, click on the Azure Active Directory to navigate back to the AD main screen.
     

  19. On the left sidebar menu, click Users under Manage and ensure your user is listed with their first name, last name, and email address.

    This information is required to establish the Azure and Liferay connection.

  20. On your Liferay DXP instance, open the Global Menu and go to Control Panel → Instance Settings → Security → SSO.

  21. Go to the OpenID Connect Provider Connection tab.

  22. Click Add to create a new connection entry, enter these values, and click Save:

    Field Data
    Provider Name Azure OIDC
    Discovery Endpoint OpenID Connect metadata document url. You can find this by going to Endpoints in your application's Overview tab in Azure
    OpenID Connect Client ID On the Overview tab of your application in Azure
    OpenID Connect Client Secret The client secret value you copied in a previous step.
  23. Open the Global Menu and go to Control Panel → Configuration → Instance Settings.

  24. Under Security, click SSO.

  25. Go to OpenID Connect, click the Enabled checkbox, and click Save.

    You can now use OpenID Connect to authenticate in your Liferay instance.

  26. Log out of your current user.

  27. Click Sign In and select OpenId Connect.

  28. Select Client to Azure OIDC from the dropdown list.

  29. Click Sign In

    This redirects you to Azure's log in page.

  30. Login with you user's email address and password.

    Once you've successfully logged in, your Azure user is registered in Liferay. 

  31. Sign back in as your Liferay admin user.

  32. Open the Global Menu and go to Control Panel → Users and Organizations. Verify that your Azure user displays on the list.

Conclusion

Congratulations! Users may now authenticate to your environment using Azure AD via OpenID Connect.

Tips

Tips

Redirect URIs

To ensure a successful Single Sign-On (SSO) connection between Liferay and Azure Active Directory (Azure AD), it's crucial to correctly configure the Redirect URI. Incorrect Redirect URIs prevent users from signing in to Liferay.

Recipe
20 Minutes

Capabilities

Product

Contact Us

Connect

Powered by Liferay
© 2024 Liferay Inc. All Rights Reserved • Privacy Policy