Please enable JS

OpenID (Azure AD) Authentication in Sparx EA

July 17, 2020

In this blog post, we will see how to enable Single Sign-On to Sparx Enterprise Architect models through OpenID (Azure AD) based authentication.

Configure OpenID in Azure AD

Register App

Log in to Azure. Click on Azure Active Directory.

Click on App registrations on the side bar. Click on New registration.

This form will open. Give a name to the application and choose a suitable option under Supported account types. Fill the Redirect URI as per the steps below and click on Register.

Follow these steps to get the Redirect URI:

  1. Open EA as an admin
  2. Click on Configure > Users
  3. Click on Configure OpenID
  4. Callback URL is the Redirect URI

Get Application or Client ID

Open the newly registered app and note the Application ID. This is the Client ID we need to use in EA.

Get OpenID URL

Click on Endpoints and copy the OpenID Connect metadata document URL. This is the OpenID URL we need to use in EA.

You can jump to the next section - Configure OpenID SSO in Enterprise Architect if needed as the following configurations are optional on Azure AD side.

Create Client Secrets

To secure the transaction between EA and OpenID, you can create and use a client secret. Click on Certificates & secrets and then on New client secret.

Manage Claims

You can create and manage claims in the Token configuration page. Learn more here.

Here is the mapping:

OpenID EA
Optional claim Claim to Match to Local User
Groups claim Claim to Match to Local Groups

Manage API permissions or Scope

Here is a sample of API permissions or Scope defined in Azure AD. Learn more about permissions and consent here.

Configure OpenID SSO in Enterprise Architect

Connect EA to OpenID

Login as an Admin. Click on Configure > Users.

Enable Accept OpenID Authentication and click on Configure OpenID. Learn about the settings in this screen here.

Fill the form as per the following details. For elaborate description of each field, click here.

Field Description
OpenID URL Paste the URL we copied in Get OpenID URL section without this part - .well-known/openid-configuration
Client ID Paste the ID we copied in Get Application or Client ID section
Client Secret Paste the ID we copied in Create Client Secrets section
Scope “Openid” should be mandatorily mentioned. Other scopes can be added as per your requirements after configuring them in Azure AD
Claim to Match to Local User “sub” is the common claim. You can add more claims as per your requirements after configuring them in Azure AD
Claim to Match to Local Groups “groups” is the common claim. You can add more claims as per your requirements after configuring them in Azure AD

Click on Test. Then Click on Login with OpenID .

The test is successful if both of the following happens.

  1. A success message shows up in browser.
  2. A success message shows in EA.

Map EA and OpenID Groups

You can create a new group or link an existing EA group to an OpenID group to make it easier to onboard users to EA. Learn more here.

This is a prerequisite to enable the setting marked in the following image. Learn more here.

Restart Pro Cloud Server

Pro Cloud Server needs to be restarted for the configuration to take effect. You can restart it from the application server it is installed in.

Log in using OpenID Authentication

When you connect to a model, the following window will show up. Click on Login with OpenID.

If you are already logged in to Azure AD, you will be logged in to the model.

If not, you will have to login in the browser that opens. On successful login, you will be logged in to the model.

Important Note

It has been recently noted that OpenID SSO from Azure AD is not completely compatible with EA and so, you will not be able to use the Groups functionality.

To make SSO work for now, you have to create a user manually in EA for every OpenID user. The name in EA should exactly match with the name in OpenID.

Once this is done, OpenID users will be able to authenticate and log in to EA.