Single Sign-On (SSO) makes logging into multiple applications easier and safer. SSO allows users to authenticate once and access everything without needing to sign in again.

This guide explains how to configure to enable SSO via with Microsoft Azure Active Directory (Entra ID).

Our goal is to help you set up authentication to work smoothly with Entra ID, ensuring users can log in seamlessly and securely. We’ll keep things clear and straightforward.

What You’ll Need

Before starting, make sure you have:

• An Entra ID tenant with administrative access
• Basic knowledge Entra ID admin panels
• Access to a browser for testing

Why Use Entra ID?

Entra ID (previously Microsoft Azure AD) is widely used for enterprise user management. Combining this with our authentication allows your application to use Entra ID’s secure user database while leveraging our authentication component (Keycloak) for SSO and role management.

This setup is especially useful for businesses that want unified login experience across multiple platforms.

Step 1: Understand the SSO Flow

Here’s how the SSO process works in simple terms:

1. A user tries to access CLOWD9 Vista Portal.
2. The app redirects them to Keycloak.
3. Keycloak checks if the user is logged in. If not, it sends them to Entra ID’s login page.
4. The user enters their Entra ID credentials (like email and password).
5. Entra ID verifies the user and sends authentication details back to Keycloak.
6. Keycloak issues a token to the application, allowing the user to access it without logging in again.
7. User roles from Entra ID groups can be used to control what the user can do in the app.
8. This flow ensures secure and smooth access while keeping user data managed in Entra ID.

Step 2: Azure App Configuration

1. Create new Azure app. Create a new App registration from portal.azure.com selecting support for Multiple organizations when asked. You can find App registration in search.

2. Click New registration.

   

3. Fill in App details

   1. Use any name you like to reference it later, e.g. "CLOWD9 SSO Application"
   2. Enter a redirect URL TBC https://keycloak.sandbox.apps-clowd9.io/realms/clowd9-vista/broker/azure-ad/endpoint
   3. Click "Register" when done
   
   

   Once the app is created, Azure will show you the Application (client) ID. Copy this value—you’ll need it later.

   

4. Next, go to Certificates and Secrets and create a new client secret. Save the generated value securely; it will also be used in Keycloak. Use a meaningful name for you and suitable expiry time.

   

5. Go back to the app details page and click Endpoints. Copy the OpenID Connect metadata document URL. This will be important for Keycloak’s configuration later.

   

Step 3: Adding Identity Provider (IdP)

1. Add IdP in KeyCloak by TBC
2. CLOWD9 will need this data from you:
   1. OpenID Connect metadata document URL (this allows discovering all the other URLs), e.g. https://login.microsoftonline.com/xxUUIDxx/v2.0/.well-known/openid-configuration
   2. Application (client) ID - this is used as the Client ID
   3. Secret Value from above.

Step 4: Test Your Keycloak and Entra ID SSO Setup

To make sure authentication works correctly via Entra ID Single Sign-On (SSO) integration, follow these steps to test the login process. This will confirm that users can log in smoothly using their Entra ID credentials.

1. Open your browser and go to your CLOWD9 Vista Portal (logout if you are already logged in). You should see a login page like the one below. Select the SSO option

   

2. Enter your email address

   

3. Follow the login steps for your company services

   

4. That should complete your login and setup

Seeing this page means the SSO integration is working correctly.

Troubleshooting

If you don’t see the Entra ID login page, double-check your Identity Provider settings.

Ensure your Entra ID credentials are correct and that the user has access to the app. If the profile page doesn’t appear, verify the redirect URI in Keycloak matches your app’s settings.