To connect Microsoft Azure AD to DRACOON as an OpenID provider, follow these steps:

Settings in the Azure portal

1. Log into the Azure Portal and select the Active Directory tenant. To do so, click your profile in the upper right corner, then on Change Directory and select the desired client.
2. Go to the Azure Active Directory section (1) via the navigation bar on the left.
3. Select App Registrations (2), and then click New Application Registration (3).
4. Now enter the name (4) of the application and the URL of your DRACOON environment (5) and click Create (6).
5. Click Settings (7) and then Keys (8).
6. Enter a description for your key (9), select a expiry date(10) and click Save (11).
   
7. You then get the value of the key (12); this is your client secret.
   

   Important: Make sure to copy the client secret and save it to a text file. If you leave the page without saving the Client Secret, you will not be able to view the Client Secret again.
   
   

   
8. Under Reply URLs please make sure three URLs are set: Your DRACOON's URL, your DRACOON's URL with the path /oauth/openid-callback
   (e.g. https://dracoon.team/oauth/openid-callback)
   
   

Settings in DRACOON 

You need to be Configuration Manager to set the following settings.

1. In the DRACOON Web App, click System Settings and then Authentication (1).
2. Select the Allow login with OpenID Connect check box.
3. Determine the values for the OpenID configuration of your Azure Active Directory.
   You will receive these via the following link:
   
   https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration
   

   The {tenant} variable in the above URL must be replaced with your DirectoryID. This ID can be found in the Azure portal under Azure Active Directory > Properties.

   Tipp: For a better overview for the values, it is recommended to use the browser's developer tools and display the OpenID configuration under the Network tab.

   Make sure, that you use the above v2.0 endpoint, otherwise you will encounter problems importing users, because the claim email cannot be retrieved.
   
   
4. Now enter the settings for the OpenID provider Azure AD in DRACOON.
   The following is a list of what the values required in DRACOON are called in the Azure configuration file:
   

   Value in DRACOON	OpenID-Configuration
   Name	May be chosen freely *
   IssuerURL	issuer
   Authorization Endpoint-URL	authorization_endpoint
   Token Endpoint-URL	token_endpoint
   UserInfo Endpoint-URL	userinfo_endpoint
   JWKS Endpoint-URL	jwks_uri
   Client-ID	"Application-ID" of your application *
   Client-Secret	The key you saved before to a text file * Due to Microsoft-specific specifications, the key must be URL-coded. This means that if your key contains a +, / or =, you must mask these special characters: + corresponds with %2B / corresponds with %2F = corresponds with %3D Example: The secret 123+456/789= corresponds to 123%2B456%2F789%3D.
   Scopes	openid, email, profile *
   Redirect-URIs	the Reply URLs set in the Azure portal (step 8)*
   Proof Key for Code Exchange (PKCE):	activation recommended
   PKCE Challenge-Methode	id_token_signing_alg_values_supported (S256)
   Mapping Claim	upn (recommendation for v1.0 endpoint; *) email (recommendation for v2.0 endpoint; *)
   Fallback User Mapping Claim	sub (recommendation; *)

   * not in the configuration file
   The last two values, which are not listed here, automatically create local users and user group (available as of DRACOON 4.10) are optional and can be activated if required.
   
   OpenID can now be used as an authentication method in DRACOON.

Allow OpenID for users 

In order for a DRACOON user to be able to log on using OpenID, you must first allow this authentication method.

1. In the DRACOON web app, click Users & Groups, select the user who should be allowed to authenticate via OpenID, and click Edit.
2. Click the Authentication tab and select the Allow login with OpenID Connect check box.
3. Enter the OpenID user name and provider.
4. Click Save User.