Skip to main content

Microsoft Entra ID(Azure AD)

To configure Appsmith to use Microsoft Entra ID (Azure AD) as an OIDC provider, follow the steps below:

Prerequisites

  1. A self-hosted Appsmith instance. See the installation guides for installing Appsmith.
  2. Before setting up Single Sign-On (SSO), ensure that you have already configured a custom domain for your instance.
  3. In Appsmith, go to Admin Settings > Authentication and click Enable on OIDC.
  4. Copy the Redirect URL from the OIDC configuration page to add it when creating the application in Entra ID.
OIDC configurations
OIDC configurations in Appsmith

Create application on Entra ID

  1. Log in to your Azure account and under Azure Services, click Microsoft Entra ID.
Azure Home
Azure Home
  1. Go to Manage Tenants from the navigation bar, select your directory and click Switch.
Manage Tenants
Manage Tenants
  1. On your directory's homepage, click + Add > App Registration from the navigation bar.

  2. On the Register an application page:

a. Add a name for your app.

b. Select Accounts in this organizational directory only (user-education only - Single tenant) from the options in Supported account types.

c. In Redirect URI, select the platform as Web, and add the Redirect URL copied from Appsmith's OIDC configurations in the adjacent input field.

d. Click Register.

  1. On the application homepage, copy the Application (client) ID to add it later in the OIDC configurations in Appsmith.

  2. To get the Client secret:

Client secret
Client secret

a. On the application homepage, click Add a certificate or secret from the Client credentials label.

b. On the Certificates & secrets page, go to the client secrets tab and click New client secret.

c. On Add a client secret panel, add the description and define the expiration of the key. Click Add.

d. Copy the Value of the Client secret to add it later in the OIDC configurations in Appsmith.

  1. Go back to the application homepage, and click the Endpoints tab from the navigation bar.

  2. In the Endpoints panel, copy and open the OpenID Connect metadata document URL in a new browser tab, and copy the following URLs from that page:

  • authorization_endpoint

  • token_endpoint

  • userinfo_endpoint

  • jwks_uri

Configure scopes on Entra ID

  1. To configure scopes on Entra ID, go to API permissions from the sidebar and click Add Permission.

  2. On the Request API permissions panel, select Microsoft Graph > Delegated permissions.

  3. In the Select permissions section, select the following permissions from the Openid permissions dropdown:

  • email
  • openid
  • offline_access
  • profile
  1. Scroll down to the Users dropdown and select Users.Read. Click Add permissions.

  2. Go back to the API permissions page and click Grant admin consent for this directory.

Register Entra ID in Appsmith

To complete the OIDC configuration, you have to register the identity provider on Appsmith. Go to Admin Settings > Authentication > OIDC, and follow the steps below:

  1. Add the Application (client) ID copied from the Entra ID application in the Client ID field.

  2. Add the Value of the Client secret copied from the Entra ID application in the Client Secret field.

  3. Add the URLs copied from the OpenID Connect metadata document page into OIDC configurations in Appsmith as per the table below:

OIDC configuration fieldMicrosoft Entra ID URL
Authorization URLauthorization_endpoint
Token URLtoken_endpoint
User Info URLuserinfo_endpoint
JWK Set URLjwks_uri
  1. In the Scopes section, add the attributes that allow you to authorize access to user details after a user is successfully authenticated. By default, there are three scopes - openid, email, profile.

Appsmith needs openid and email as mandatory scopes. It’s also highly recommended you use the offline_access scope to avoid errors related to expired access tokens and excessive re-login requests.

Enabling the offline_access scope allows your app to receive refresh tokens that extend the duration that your users have access to their resources. For more information, see Entra ID documentation.

  1. In the Username Attribute box, specify the name of the claim as sub that uniquely identifies the user.

  2. Once you have added the details, click the SAVE & RESTART button to save the configuration and restart the instance.

info

If you're running Appsmith on a Kubernetes cluster with an HA configuration, after completing the setup, run the following command to ensure the new authentication settings are properly applied:

kubectl rollout restart deployment/appsmith -n

After the Appsmith instance restarts, try logging in again to your account. You'll see a login screen with the SIGN IN WITH OIDC SSO button.

SAML-login
Login with SAML SSO