Data Mesh Manager

Single Sign-On (SSO)

Enterprise Edition

This guide will show you how to set up Single Sign-On (SSO) for your organization using Microsoft Entra ID (formerly known as Azure Active Directory). Other SSO providers work similarly, but the setup might differ.

Note: Single Sign-On (SSO) is only available in the Enterprise Edition of Data Mesh Manager / Data Contract Manager.

Prerequisites

Know the hostname / domain of your application, e.g., datacontract-manager.example.com.

Create an app registration in Azure

Learn more in the official reference: https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app

  1. Sign in to the Azure portal as at least a Cloud Application Administrator and go to Microsoft Entra ID.
  2. Under Manage, select App registrations.
  3. Select New registration.
  4. Name: Data Mesh Manager / Data Contract Manager (what you licensed, users will see this name)
  5. Supported account types: Accounts in this organizational directory only (Single tenant)
  6. Redirect URI:
    • Select a Platform: Web
    • URL: https://YOUR_HOSTNAME/login/oauth2/code/azuresso (replace YOUR_HOSTNAME with the host name of your instance)
  7. Select Register.
  8. Copy the Application (client) ID
  9. To the right of Client credentials, select Add a certificate or secret.
  10. Select + New client secret.
  11. Enter an optional description, select an expiration, and then select Add.
  12. Under Secret value, select the Copy to clipboard icon. Do it now, this value will not be displayed later.
  13. Back on Overview, Select Endpoints at the top of the page.
  14. Find the OpenID Connect metadata document URL and copy the value before /.well-known/openid-configuration.
  15. In the left side panel, under Manage, select Token configuration.
  16. Select Add optional claim
  17. Select Token type: ID
  18. Select Claim: verified_primary_email
  19. Select Add.
  20. In the left side panel, under Manage, select Branding & properties.
  21. Upload a logo and check all properties
  22. Check the Publisher domain

You should now have these values, we will need them to configure the application:

PropertyExample
OpenID Connect metadata documenthttps://login.microsoftonline.com/cc62cfd7-babf-43fa-89c8-000000000000/v2.0
Application (client) IDcfe06d6f-787f-48df-b5f9-000000000000
Secret ValueGye8Qxxxxxxxxxxxxxxxxxxxxxxx

Configure the application

Add the following environment variables to your application with the values from above:

SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_AZURE_ISSUER_URI=https://login.microsoftonline.com/cc62cfd7-babf-43fa-89c8-000000000000/v2.0 # The OpenID Connect metadata document (without the /.well-known/openid-configuration ending)
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_AZURESSO_CLIENT_ID=cfe06d6f-787f-48df-b5f9-000000000000 # The Application (client) ID
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_AZURESSO_CLIENT_SECRET=Gye8Qxxxxxxxxxxxxxxxxxxxxxxx # The Secret Value
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_AZURESSO_PROVIDER=azure
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_AZURESSO_AUTHORIZATION_GRANT_TYPE=authorization_code
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_AZURESSO_REDIRECT_URI={baseUrl}/{action}/oauth2/code/{registrationId}
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_AZURESSO_CLIENT_AUTHENTICATION_METHOD=client_secret_basic
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_AZURESSO_SCOPE=openid,profile,email

Restart the application and check the logs.

When you open the application, you should now be redirected to the Microsoft Entra ID login page.