Resources »

Guides »

Integrations »

Microsoft Azure »

Authenticate worker single sign-on (SSO) from Microsoft Azure AD using OpenID Connect

Introduction

This guide demonstrates how to enable one-click single sign-on (SSO) for Cerb workers by authenticating against existing Microsoft Azure AD (Active Directory) accounts using the OpenID Connect (OIDC) standard.

The email address for each account in Azure AD will need to be associated with a worker record in Cerb. You can also disable password-based logins for those accounts.

Configure Azure AD

Log in to the Azure Portal.

Create OAuth app for Cerb

  1. Navigate to All services » Azure Active Directory.

  2. Select App registrations from the left menu.

  3. Click the New registration button at the top.

    Name Cerb SSO
    Supported account types (Default Directory)
    Redirect URI (Web) https://{CERB-URL}/sso/azure-ad

  4. Click the blue Register button at the bottom.

Create client secret

  1. In the new app registration, navigate to Certificates & secrets.

  2. Click the New client secret button in the Client secrets section near the middle of the page.

    Description Cerb SSO
    Expires Never

  3. Click the blue Add button.

  4. Copy the Value (not the Secret ID).

Configure optional claims

  1. In the new app registration, navigate to Token configuration.

  2. Click the Add optional claim button.

  3. Select ID for Token type.

  4. Check the box to the left of the email claim.

  5. Click the blue Add button at the bottom of the claim list.

Configure Cerb

Log in to Cerb as an administrator.

Create a connected service for Azure

  1. Navigate to Search » Connected Services and click the (+) icon above the worklist.

    Name Azure AD
    URI azure-ad
    Type OpenID Connect Identity Provider
    Client ID (from Azure app above)
    Client Secret (from Azure app above)
    Authorize Scope openid email
    Issuer https://login.microsoftonline.com/{DIRECTORY-ID}/v2.0

    You can find the {DIRECTORY-ID} in the Azure portal for your app registration as Directory (tenant) ID.

  2. Click the Run Discovery button.

  3. Click the Save Changes button.

Configure SSO

  1. Navigate to Setup » Security » Authentication.

  2. Check Azure AD.

  3. Click the Save Changes button.

Log in

  1. Visit the login form in Cerb.

  2. Click the Azure AD button.

  3. Log in using your Microsoft ID.

  4. Accept consent.

  5. You should be logged into Cerb as the worker associated with your Microsoft email address.