⚒️Configuring SSO with Azure AD

Azure Configuration

Getting Started

Create a new Azure tenant for your organization and sign into the Azure active directory portal.

Add an App Registration.

This application registration will be a stand-in for the cubu application and handle both the client-side SPA login flow and API access management.

Go to Manage > App registrations blade in the Azure AD portal and click the New Registration button.
In the Register an application page, give the application an easy-to-recognize name (this guide will use cubu as the name in further references), select Accounts in this organizational directory only (Single tenant) in the Supported account types section, and leave the Redirect URI section empty since we’ll handle this part later.
Write down the Application (client) ID and Directory (tenant) ID for the newly created app. Those will be used later to configure SSO in your cubu organization.
Switch to the Manage > Authentication blade and click the Add a platform button.
- In the newly opened panel select Single-page application and fill in the following values:
  - Redirect URIs: https://YOUR_ORG_SUBDOMAIN.app.cubu.com
  - Front-channel logout URL: https://YOUR_ORG_SUBDOMAIN.app.cubu.com/logout
Switch to the Manage > Expose an API blade to configure the authorization settings.
- Click on the Set button near the Application ID URI leaving the default ID provided by azure. Write down this uri since it will later be used to configure SSO in cubu.
- Click on the Add a scope button to create a default scope for the cubu application.
  - In the Add a scope panel, name the scope cubu_user.
  - The consent fields are required but you’re free to fill them in with anything you like.
Cubu uses the access token email during a new user’s creation. To add the email claim to the access token Switch to the Manage > Token configuration blade and click the Add optional claim button.
- In the opened panel select the Access token type and check the email claim.
Switch to the Manage > API permissions blade to add openid and api permissions to the application.
- Click the Add a permission button.
  - In the opened panel, select the Microsoft APIs tab, click on Microsoft Graph, select Delegated permissions, and check the email, openid, and profile scopes under the OpenId permissions category.
- Click on the Add a Permission button again.
  - Select the APIs My Organization Uses tab in the opened panel and pick the cubu API from the list.
- Select the Delegated permissions type. Ensure the cubu_user scope is checked and click the Add permission button to save.
- After all of the permissions have been added, you can click on the Grant admin consent for YOUR_TENANT button to skip the user consent page for users.
Cubu relies on having the user’s email claim in the access token for user creation. Switch to the Manage > Token configuration blade and click the Add optional claim button.
- In the Add optional claim panel, select the Access token type and check the email claim.
Finally, switch to the Manage > Manifest blade and make sure that the accessTokenAcceptedVersion is set to 2

Configuring Cubu to Use SSO

Log in to your organization in cubu with the user that created the organization in cubu (organization owner) and navigate to the SSO page of the Settings tool in the Admin tools toolbelt.
Click the Enable SSO button and enter your auth provider’s information in the Enable SSO dialog in the following way:
- Identity service provider (ISP): Azure Active Directory
- Authority: https://login.microsoftonline.com/YOUR_DIRECTORY_ID/v2.0
  - Replace YOUR_DIRECTORY_ID with the Directory (Tenant) ID from the cubu app registration
- Audience: The cubu app registration’s Application (Client) Id
  - Or the Application ID URI from the Expost an API blade if you used a custom domain instead of the default api://GUID URL.
- Client id: The cubu app registration’s Application (Client) Id
- Organization owner email: The email of the organization user in your auth0 tenant that will be associated with the current application owner user’s cubu account.
After clicking Enable SSO in the dialog, the page should refresh, prompting you to log in.

PreviousConfiguring Single Sign On (SSO)NextConfiguring SSO with Okta

Last updated 10 months ago

Azure Configuration

Getting Started

Create a new Azure tenant for your organization and sign into the Azure active directory portal.

Add an App Registration.

This application registration will be a stand-in for the cubu application and handle both the client-side SPA login flow and API access management.

Go to Manage > App registrations blade in the Azure AD portal and click the New Registration button.

In the Register an application page, give the application an easy-to-recognize name (this guide will use cubu as the name in further references), select Accounts in this organizational directory only (Single tenant) in the Supported account types section, and leave the Redirect URI section empty since we’ll handle this part later.

Write down the Application (client) ID and Directory (tenant) ID for the newly created app. Those will be used later to configure SSO in your cubu organization.

Switch to the Manage > Authentication blade and click the Add a platform button.

In the newly opened panel select Single-page application and fill in the following values:
- Redirect URIs: https://YOUR_ORG_SUBDOMAIN.app.cubu.com
- Front-channel logout URL: https://YOUR_ORG_SUBDOMAIN.app.cubu.com/logout

Switch to the Manage > Expose an API blade to configure the authorization settings.

Click on the Set button near the Application ID URI leaving the default ID provided by azure. Write down this uri since it will later be used to configure SSO in cubu.
Click on the Add a scope button to create a default scope for the cubu application.
- In the Add a scope panel, name the scope cubu_user.
- The consent fields are required but you’re free to fill them in with anything you like.

Cubu uses the access token email during a new user’s creation. To add the email claim to the access token Switch to the Manage > Token configuration blade and click the Add optional claim button.

In the opened panel select the Access token type and check the email claim.

Switch to the Manage > API permissions blade to add openid and api permissions to the application.

Click the Add a permission button.
- In the opened panel, select the Microsoft APIs tab, click on Microsoft Graph, select Delegated permissions, and check the email, openid, and profile scopes under the OpenId permissions category.
Click on the Add a Permission button again.
- Select the APIs My Organization Uses tab in the opened panel and pick the cubu API from the list.
Select the Delegated permissions type. Ensure the cubu_user scope is checked and click the Add permission button to save.
After all of the permissions have been added, you can click on the Grant admin consent for YOUR_TENANT button to skip the user consent page for users.

Cubu relies on having the user’s email claim in the access token for user creation. Switch to the Manage > Token configuration blade and click the Add optional claim button.

In the Add optional claim panel, select the Access token type and check the email claim.

Finally, switch to the Manage > Manifest blade and make sure that the accessTokenAcceptedVersion is set to 2

Configuring Cubu to Use SSO

Log in to your organization in cubu with the user that created the organization in cubu (organization owner) and navigate to the SSO page of the Settings tool in the Admin tools toolbelt.

Click the Enable SSO button and enter your auth provider’s information in the Enable SSO dialog in the following way:

Identity service provider (ISP): Azure Active Directory
Authority: https://login.microsoftonline.com/YOUR_DIRECTORY_ID/v2.0
- Replace YOUR_DIRECTORY_ID with the Directory (Tenant) ID from the cubu app registration
Audience: The cubu app registration’s Application (Client) Id
- Or the Application ID URI from the Expost an API blade if you used a custom domain instead of the default api://GUID URL.
Client id: The cubu app registration’s Application (Client) Id
Organization owner email: The email of the organization user in your auth0 tenant that will be associated with the current application owner user’s cubu account.

After clicking Enable SSO in the dialog, the page should refresh, prompting you to log in.