/
Integration of SOFiE and MS Entra (Azure)
Document toolboxDocument toolbox

Integration of SOFiE and MS Entra (Azure)

Owned by Pavel Novák
Feb 21, 2025

Since the introduction of OpenID Connect support in SOFiE version 2.3, it is now possible to integrate user authentication via Microsoft Entra. To achieve this, follow the steps below.

Steps in Microsoft Entra

  • Log in to the Microsoft Entra Admin Portal. Go to: https://entra.microsoft.com/.

  • Register a New Application. Navigate to: Applications → App registrations → New registration.

  • Fill in the Registration Form:

    • Name, e.g., SOFiE (this name may be visible to users during login).

    • Supported account types.

    • Redirect URI (optional).

      • Select “Web” as the application type.

      • Do not enter a URL yet.

  • After submitting the form, the application overview page will be displayed. Take note of the following:

    • Application (client) ID, e.g., “aaddddb3-9cef-4582-a721-3fe48fee1b40”.

    • At the top of the application overview, select Endpoints and find the following item:

      • OpenID Connect metadata document, e.g.: “https://login.microsoftonline.com/36e241eb-b5b3-4805-a502-4c199d365104/v2.0/.well-known/openid-configuration”.

        • Open this link, find the “issuer” field in the JSON response, and note its value, e.g.:

          “https://login.microsoftonline.com/36e241eb-b5b3-4805-a502-4c199d365104/v2.0”. Alternatively, this value can be derived by trimming everything after /v2.0 in the metadata URL.

    • Next in the “Certificates & Secrets” submenu, create a “+ New client secret”. Assign a name, set an expiration period, and confirm. Note the generated client secret Value (not the ID), e.g.: “4858Q~4gqxX2N25OGUUX-KclTScvCLukIGEvwb3Z”.

At this stage, you now have all the required details to configure OpenID Connect in SOFiE.

Steps in SOFiE

As an admin, go to Settings → OpenID Connect and add a new provider. Fill out the following form using the details obtained from Microsoft Entra (see above).

image-20250221-163106.png

After saving, the new provider should appear as a row in the table. Click Edit, and in the displayed form, find the “Redirect URI” field. Note down the generated Redirect URI, e.g.: “https://test.sofie.cloud/api/user/oidc-token/cd7f1010-1256-4f27-9cfd-f58810c3cdff“, see:

image-20250221-163338.png

To finalize the integration this URI now needs to be entered back in the MS Entra settings.

Finalizing in Microsoft Entra

In Microsoft Entra, navigate to the Authentication submenu of the registered application. Click “+ Add a platform”:

image-20250221-164507.png

In the dialog shown select Web applications, Web. Enter the Redirect URI obtained from SOFiE (see above), e.g.: “https://test.sofie.cloud/api/user/oidc-token/cd7f1010-1256-4f27-9cfd-f58810c3cdff”.

Ensure that “ID Tokens” is checked in the Implicit grant and hybrid flows section.

With this setup completed, logging into SOFiE using Microsoft Entra should now function correctly.

To pass additional user details (such as First Name, Last Name, and Group Memberships) during authentication, which is strongly recommended, you need to fill in Tokens configuration accordingly. See the illustration below for guidance:

image-20250221-164933.png