To connect Microsoft Entra ID (formerly known as Azure Active Directory) to DRACOON as an OpenID provider, follow these steps:
Topics in this article
Settings in the Azure portal
- Sign in to the Azure Portal and select the desired tenant. (If you only have one tenant or have already selected the desired tenant, skip this point. To choose a tenant, click your profile picture in the upper right corner, click Change Directory, and select the desired tenant.)
- Under Azure services, click Microsoft Entra ID.
- In the left pane, click App registrations, and then click New registration.
- Under Name, enter the name of your application (example: DRACOON). Under Redirect URI, enter the redirect URL of your DRACOON environment, which consists of the server URL of your DRACOON environment followed by
/oauth/openid-callback. When finished, click the Register button.
- In the left pane, click Certificates & secrets, click the Client secrets tab, and then click New client secret.
- Under Add a client secret (on the right), enter a name for your key in the Description field, specify an expiration, and then click Add.
- You will then get the value of the key, which is your client secret.
Important: Make sure to copy the client secret and save it to a text file. If you leave the page without saving the client secret, you will not be able to view the client secret again.
- In the left pane, click Authentication. This is where the redirect URI and logout URL are specified.
Under Redirect URIs, enter your DRACOON server URL, followed by the path
Under Front-channel logout URL, enter your DRACOON server URL, followed by the path
To finish, click the Save button.
- In the Overview of your created application, you will find all the information you need for storing the configuration in DRACOON. Useful URLs will be displayed after clicking Endpoints.
Settings in DRACOON
The settings in the Azure portal are now complete.
Next, the Azure values must be stored in DRACOON.
You must own the Configuration Manager role to change the following settings.
- In the DRACOON web app, in the left side pane, click Settings, and then click Authentication.
- Click the OpenID Connect tab.
- Activate the Enable login with OpenID Connect switch.
- To the right of OpenID Provider, click the Add button.
- Obtain the values for the OpenID configuration of your Entra ID.
You can find these values in a file whose URL can be found in the Azure portal under Endpoints > OpenID Connect metadata document (see step 9 above). Copy the specified URL and paste it into the address bar of a new browser tab to open it.
Tipp: For a better overview of the values, it is recommended to use the browser's developer tools and display the OpenID configuration under the Network tab.Please make sure that the v2 endpoints are used and not the v1 endpoints; otherwise, there might be problems when importing users, as the email claim cannot be retrieved, which is absolutely necessary.
- Now, enter the settings for the OpenID provider in DRACOON.
The following is a list of how the values required in DRACOON are named in the OpenID Connect metadata document:
Value in DRACOON Value from the OpenID Connect configuration Name May be chosen freely * IssuerURL issuer Authorization Endpoint URL authorization_endpoint (OAuth 2.0 authorization endpoint (v2) Token Endpoint URL token_endpoint (OAuth 2.0 token endpoint (v2) UserInfo Endpoint URL userinfo_endpoint JWKS Endpoint URL jwks_uri ClientID Is displayed in the Azure portal under Overview as "Application (client) ID" for your application * Client Secret This is the key that you have saved in a text file as described above Scopes openid, email, profile * Redirect URIs The previously entered redirect URL that ends with /openid-callback (step 8 above) * Proof Key for Code Exchange (PKCE) Activation recommended PKCE Challenge Method id_token_signing_alg_values_supported (S256) Mapping Claim email * Fallback User Mapping Claim sub (recommendation; *)
The last two DRACOON settings, which are not listed here, Automatically import users and User group, are optional and can be activated if required.
Click Save to save your settings.
OpenID can now be used as an authentication method in DRACOON.
Allow OpenID for users
For a DRACOON user to be able to log in with OpenID, you must first allow this authentication method for the user.
- In the DRACOON web app, click Settings and double-click the user who should be allowed to authenticate via OpenID.
- In the Authentication method field, select OpenID Connect.
- Select the desired OpenID provider, enter the OpenID user name of the user, and click Save.