OpenID Authentication with Microsoft Entra ID
This document presents a configuration guide for the XWiki OpenIDC authenticator with Microsoft Entra ID (formerly known as Microsoft Azure Active Directory or Azure AD).
Microsoft Entra ID
- You need to register an application in Microsoft Entra ID. (You can use the link for quick access Register Application)
The redirect_uri should be https://<YOUR XWIKI URL WITH PORT IF NECESSARY>/xwiki/oidc/authenticator/callback
2. Create a secret. Go to "Certificates & sercrets", select "Client secrets" and click "New client secret"
3. Copy secret value
4. Go to "Token configuration" and ad "optional" claims. Token type should be "ID". Select "prefered_username" and "upn" from the list
5. Add "group" claims. Select "Security groups" as a type and "Group ID" as ID
6. Go to "API permissions" and make sure email, openid, profile, User.Read are set and granted as delegated
XWiki Configuration
First the OpenIDC Authenticator must be enabled in xwiki.cfg:
And configured in xwiki.properties. Here are the properties to configure:
#-# Enpoints
oidc.endpoint.authorization=https://login.microsoftonline.com/<REPLACE WITH YOUR DIRECTORY (TENANT) ID>/oauth2/v2.0/authorize
oidc.endpoint.token=https://login.microsoftonline.com/<REPLACE WITH YOUR DIRECTORY (TENANT) ID>/oauth2/v2.0/token
oidc.endpoint.userinfo=https://graph.microsoft.com/oidc/userinfo
oidc.endpoint.logout=https://login.microsoftonline.com/<REPLACE WITH YOUR DIRECTORY (TENANT) ID>/oauth2/v2.0/logout
#-# User info
oidc.endpoint.userinfo.method=GET
oidc.scope=openid,profile,email,address
#-# Username will be generated based on UPN of the user. It will be converted to lowercase and removed all dots and other symbols
oidc.user.nameFormater=${oidc.idtoken.upn._clean._lowerCase}
oidc.user.subjectFormater=${oidc.idtoken.upn}
oidc.user.preferredUsername:${oidc.idtoken.upn}
oidc.user.mail:${oidc.idtoken.upn}
#-# App Authnetication
oidc.endpoint.token.auth_method=client_secret_basic
oidc.clientid=<APPLICATION (CLIENT) ID>
oidc.secret=<SECRET VALUE>
#-# Group sync (Example)
#-# Group name here in config and in xWiki should match. Spaces in group name are allowed
oidc.groups.claim=groups
oidc.groups.mapping=XWikiAdminGroup=<REPLACE WITH GROUP OBJECT ID>
oidc.groups.mapping=Support Team - Read Only=<REPLACE WITH GROUP OBJECT ID>