In this blog post, we will see how to enable Single Sign-On to Sparx Enterprise Architect models through OpenID (Azure AD) based authentication.
Log in to Azure. Click on Azure Active Directory.
Click on App registrations on the side bar. Click on New registration.
This form will open. Give a name to the application and choose a suitable option under Supported account types. Fill the Redirect URI as per the steps below and click on Register.
Follow these steps to get the Redirect URI:
Open the newly registered app and note the Application ID. This is the Client ID we need to use in EA.
Click on Endpoints and copy the OpenID Connect metadata document URL. This is the OpenID URL we need to use in EA.
You can jump to the next section - Configure OpenID SSO in Enterprise Architect if needed as the following configurations are optional on Azure AD side.
To secure the transaction between EA and OpenID, you can create and use a client secret. Click on Certificates & secrets and then on New client secret.
You can create and manage claims in the Token configuration page. Learn more here.
Here is the mapping:
|Optional claim||Claim to Match to Local User|
|Groups claim||Claim to Match to Local Groups|
Here is a sample of API permissions or Scope defined in Azure AD. Learn more about permissions and consent here.
Login as an Admin. Click on Configure > Users.
Enable Accept OpenID Authentication and click on Configure OpenID. Learn about the settings in this screen here.
Fill the form as per the following details. For elaborate description of each field, click here.
|OpenID URL||Paste the URL we copied in Get OpenID URL section without this part - .well-known/openid-configuration|
|Client ID||Paste the ID we copied in Get Application or Client ID section|
|Client Secret||Paste the ID we copied in Create Client Secrets section|
|Scope||“Openid” should be mandatorily mentioned. Other scopes can be added as per your requirements after configuring them in Azure AD|
|Claim to Match to Local User||“sub” is the common claim. You can add more claims as per your requirements after configuring them in Azure AD|
|Claim to Match to Local Groups||“groups” is the common claim. You can add more claims as per your requirements after configuring them in Azure AD|
Click on Test. Then Click on Login with OpenID .
The test is successful if both of the following happens.
Pro Cloud Server needs to be restarted for the configuration to take effect. You can restart it from the application server it is installed in.
When you connect to a model, the following window will show up. Click on Login with OpenID.
If you are already logged in to Azure AD, you will be logged in to the model.
If not, you will have to login in the browser that opens. On successful login, you will be logged in to the model.
It has been recently noted that OpenID SSO from Azure AD is not completely compatible with EA and so, you will not be able to use the Groups functionality.
To make SSO work for now, you have to create a user manually in EA for every OpenID user. The name in EA should exactly match with the name in OpenID.
Once this is done, OpenID users will be able to authenticate and log in to EA.