Skip to main content

Azure AD OIDC

Connect Azure AD with GoRules BRMS

1. Create an Enterprise Application in Azure AD

  1. Log in to the Azure portal and navigate to Entra ID.
  2. Select Enterprise applications and then click on New application.
  3. Click Create your own application
  4. Choose Register an application to integrate with Microsoft Entra ID (App you're developing) and provide a name for the application (e.g., GoRules BRMS DEV).
  5. Next, in Supported account types, select Accounts in this organizational directory only (Default Directory Only - Single tenant).
  6. In Redirect URI section, for select platform chose Web from the dropdown and enter app_url/oauth/azure where your self-hosted BRMS is hosted for example at https://gorules-dev.your-company.com and the complete URI would be https://gorules-dev.your-company.com/oauth/azure.
  7. After creation, navigate to the application's overview page, navigate to the Single sign-on menu and click on Go to application to open App registrations experience
  8. From the new page copy and save Application (client) ID for later use.

2. (Optional) Add Azure AD Group Claims

  1. In the Apps registration experience for the application open Token configuration section.
  2. Click on Add group claim to include group membership information in the token.
  3. Configure the claims according to your organization's requirements (e.g., include groups assigned to the application and for Access and ID select sAMAccountName). and press Save.

3. Create Credentials for the Enterprise Application

  1. In the Apps registration experience for the application open Certificates & secrets.
  2. Under Client secrets, click New client secret.
  3. Add a description for the secret, set an expiry period, and click Add.
  4. Once created, copy and save the client secret value for later use (Note: It will not be visible again after you leave this page).

4. Copy endpoints

  1. In the Apps registration experience for the application, in the section Overview click on the Endpoints.
  2. Copy
    1. OAuth 2.0 authorization endpoint (v2)
    2. OAuth 2.0 token endpoint (v2)

5. Configure GoRules BRMS Environment Variables

To configure Azure AD SSO you will need to add Environment Variables for the BRMS. Table below represents environment variable mapping.

BRMS Environment VariableAzure SSO Mapping
SSO_OAUTH2_PROVIDERazure
SSO_OAUTH2_CLIENT_IDCLIENT_ID from Step 1.8.
SSO_OAUTH2_CLIENT_SECRETCLIENT_SECRET from Step 3.4.
SSO_OAUTH2_SCOPESopenid email profile
SSO_OAUTH2_AUTH_URLAUTH_ENDPOINT from Step 4.2.1.
SSO_OAUTH2_TOKEN_URLTOKEN_ENDPOINT from Step 4.2.2.
APP_URL_app_url_ for example https://gorules-dev.your-company.com
EMAIL_ENABLEDfalse
info

Upon setting configuration you will need to restart BRMS for changes to take effect.

6. Optional Environment Variables

To configure group mapping use SSO_OAUTH2_GROUPS_MAPPING variable and add groups into scopes.

BRMS Environment VariableAzure SSO Mapping
SSO_OAUTH2_GROUPS_MAPPING77777777-7777-7777-7777-7777777777777->admin,88888888-8888-8888-8888-888888888888->admin,55555555-5555-5555-5555-5555555555555->author
SSO_OAUTH2_SCOPESopenid email profile groups

Mapping is represented as {{azure_group_uuid}}->{{brms_role}} comma , separated with the next mapping.

There are 4 levels of global permissions: owner, admin, author, and member.

info

Multiple groups can map to the same role.

info

Group uuid is unique group id from Entra ID, if variable is not set, permissions will be managed from inside BRMS. If variable is set and existing user is not found in the mapping string, user will be added to the member group.