Connecting Microsoft Entra ID to the WoodWing Identity Service

Microsoft Entra ID — previously known as Azure Active Directory (Azure AD / AAD) — is an Identity and Access Management (IAM) solution running in the cloud. It can be connected to the WoodWing Identity Service (WIS) using the OIDC protocol.

How to set up Microsoft Entra ID for this is explained in this article.

The process is as follows:

1. Registering the WoodWing Identity Service in Entra ID
2. Setting up permissions
3. Setting up a client secret
4. Configuring the token
5. Updating the manifest
6. Creating and assigning groups
7. Testing the integration

1. Registering the WoodWing Identity Service in Entra ID

In this step, the WoodWing Identity Service is registered as an app in Entra ID. It involves steps in the WoodWing Identity Service and in Entra ID.

Steps in the WoodWing Identity Service

Step 1. Log in to the WoodWing Identity Service as a user that is part of a group with the role of 'owner'.

Step 2. Access the Settings page.

A page appears with information about the organization, including any identity provider that is set up.

Step 3. Under Identity provider, click Set up or edit.

A panel appears in which the identity provider can be configured.

Step 4. Select the OIDC tab.

Step 5. At the top of the tab, copy the redirect URI by clicking the Copy button.

This is used in the next step for setting up Entra ID.

Steps in Entra ID

Tip: Click the images for a larger view.

Step 1. Access the Entra admin center, navigate to Applications > App registrations and click New registration.

The Register an application page appears.

Step 2. Give the application a name.

Step 3. Under Supported account types, select Accounts in this organization directory only (Single tenant).

Step 4. Under Redirect URI, select Web as the application type, and paste the previously copied redirect URI.

Step 5. Click Register.

Step 6. In the Application overview, click the Copy icon to copy the Application (client) ID and store it somewhere.

Step 7. In the same Application overview, click Endpoints, and copy and store the well-known URI.

Steps in the WoodWing Identity Service

Return to the OIDC settings page in the WoodWing Identity Service.

Step 1. In the Client ID field, paste the Application ID that was copied in Entra ID in step 6.

Step 2. In the Well-known URL field, paste the Well-known URI that was copied in Entra ID in step 7.

2. Setting up permissions

In this step, the permissions for the app are set up in Entra ID.

Step 1. In the registered application in Entra ID, click on Integration assistant in the menu on the left and do the following on the page that appears:

• Under What application types are you building?, select Web app.
• Enable the option Is this application calling APIs?.
• Click Evaluate my app registration.

The details for your app appear.

Step 2. On the Summary tab, open the menu for Configure API permissions by clicking the three dots, and choose Go to page.

The API permissions page appears.

Step 3. Click Add a permission, then on Microsoft Graph, and then on Delegated permissions.

The Request API permissions panel appears.

Step 4. Expand the Group section and select Group.Read.All.

Step 5. Click Add permissions.

Step 6. Click Grant admin consent for (name) and confirm the action.

3. Setting up a client secret

In this step, the client secret for the app in Entra ID is set up.

Step 1. Return to the Integration assistant page by clicking it in the menu on the left.

Step 2. From the menu again on the left, click on Certificates & secrets to open that page.

Step 3. Click New client secret and in the Add a client secret panel that appears, enter a description and choose a longer expiry date.

Step 4. Click Add.

The client secret UIDD and client secret value is shown.

Step 5. Copy the client secret value.

Step 6. Return to the OIDC settings page in the WoodWing Identity Service and paste the client secret value in the Client secret field.

4. Configuring the token

In this step, the token for the app in Entra ID is configured.

Step 1. From the menu on the left, click on Token configuration to open that page.

Step 2. Click Add groups claim, and from the Edit groups claim panel that appears, do the following:

1. Under Select group types to include in Access, ID, and SAML tokens, select the option Groups assigned to the application.
2. Under Customize token properties by type, expand each section and for each type, select the sAMAccountName option.
3. Click Add.

5. Updating the manifest

In this step, the manifest for the app in Entra ID is configured.

Step 1. From the menu on the left, click on Manifest to open that page.

Step 2. In the JSON code, add the cloud_displayname property to the idToken.

  "idToken": [
    {
      "additionalProperties": [
        "sam_account_name",
        "cloud_displayname"
      ],
      "essential": false,
      "name": "groups",
      "source": null
    }
  ],

Step 3. Click Save to save the changes.

6. Creating and assigning groups

In this step, the users who should have access to the app are set up in Entra ID.

Note: Make sure that the group names match the group names that are defined in the WoodWing application, so that access rights and permissions work correctly.

Step 1. Navigate to Groups > Overview and click New group.

The New group page appears.

Step 2. In the Group name field, enter a descriptive name.

Step 3. At the bottom of the page, click No members selected in the Members section.

The Add owners panel appears.

Step 4. Select the users you want to add and click Select.

Step 5. Navigate to the Enterprise applications page by selecting it in the menu on the left.

Step 6. Select your created application.

Step 7. Select the Users and groups tab and click Add user/group.

Step 8. In the dialog that appears, search for your created group, select it, and submit the form by clicking Select.

Step 9. Click Assign to submit the group to the Application assignment.

7. Testing the integration

Test the integration by letting users (who are configured in Entra ID and who are given access to the app), access the WoodWing tenant that they should have access to.