OpenID (Azure AD) Authentication in Sparx EA
July 17, 2020
In this blog post, we will see how to enable Single Sign-On to Sparx Enterprise Architect models through OpenID (Azure AD) based authentication.
Configure OpenID in Azure AD
Register App
Log in to Azure. Click on Azure Active Directory.
Click on App registrations on the side bar. Click on New registration.
This form will open. Give a name to the application and choose a suitable option under Supported account types. Fill the Redirect URI as per the steps below and click on Register.
Follow these steps to get the Redirect URI:
- Open EA as an admin
- Click on Configure > Users
- Click on Configure OpenID
- Callback URL is the Redirect URI
![Call back URL]()
Get Application or Client ID
Open the newly registered app and note the Application ID. This is the Client ID we need to use in EA.
Get OpenID URL
Click on Endpoints and copy the OpenID Connect metadata document URL. This is the OpenID URL we need to use in EA.
You can jump to the next section - Configure OpenID SSO in Enterprise Architect if needed as the following configurations are optional on Azure AD side.
Create Client Secrets
To secure the transaction between EA and OpenID, you can create and use a client secret. Click on Certificates & secrets and then on New client secret.
Manage Claims
You can create and manage claims in the Token configuration page. Learn more here.
Here is the mapping:
| OpenID | EA |
|---|---|
| Optional claim | Claim to Match to Local User |
| Groups claim | Claim to Match to Local Groups |
Manage API permissions or Scope
Here is a sample of API permissions or Scope defined in Azure AD. Learn more about permissions and consent here.
Configure OpenID SSO in Enterprise Architect
Connect EA to OpenID
Login as an Admin. Click on Configure > Users.
Enable Accept OpenID Authentication and click on Configure OpenID. Learn about the settings in this screen here.
Fill the form as per the following details. For elaborate description of each field, click here.
| Field | Description |
|---|---|
| OpenID URL | Paste the URL we copied in Get OpenID URL section without this part - .well-known/openid-configuration |
| Client ID | Paste the ID we copied in Get Application or Client ID section |
| Client Secret | Paste the ID we copied in Create Client Secrets section |
| Scope | “Openid” should be mandatorily mentioned. Other scopes can be added as per your requirements after configuring them in Azure AD |
| Claim to Match to Local User | “sub” is the common claim. You can add more claims as per your requirements after configuring them in Azure AD |
| Claim to Match to Local Groups | “groups” is the common claim. You can add more claims as per your requirements after configuring them in Azure AD |
Click on Test. Then Click on Login with OpenID .
The test is successful if both of the following happens.
- A success message shows up in browser.
![Access Granted]()
- A success message shows in EA.
![Success Message]()
Restart Pro Cloud Server
Pro Cloud Server needs to be restarted for the configuration to take effect. You can restart it from the application server it is installed in.
Log in using OpenID Authentication
When you connect to a model, the following window will show up. Click on Login with OpenID.
If you are already logged in to Azure AD, you will be logged in to the model.
If not, you will have to login in the browser that opens. On successful login, you will be logged in to the model.
Important Note
It has been recently noted that OpenID SSO from Azure AD is not completely compatible with EA and so, you will not be able to use the Groups functionality.
To make SSO work for now, you have to create a user manually in EA for every OpenID user. The name in EA should exactly match with the name in OpenID.
Once this is done, OpenID users will be able to authenticate and log in to EA.