This demonstrates how to configure Single Sign-On (SSO) using EntraID (Azure AD) and Nginx for the Axon Ivy Engine.
Notes:
- OpenResty image will be used in this example instead of a standard Nginx one, since it extends Nginx with additional features and modules (
lua-nginx-moduleandngx_http_lua_module) that are particularly useful for handling Lua scripts, which are essential for implementing OpenID Connect (OIDC) authentication. - It uses the library
lua-resty-openidcas the implementation of OpenID Connect in Nginx, with its dependencies:lua-resty-http,lua-resty-sessionandlua-resty-jwt. See more.
- Docker and Docker Compose installed on your system.
- Access to Azure AD to configure the application and obtain client ID, tenant ID, and client secret.
- SSL certificate (server.crt and server.key) for securing Nginx.
Follow this instruction to Create Microsoft Entra ID App
We will need to:
- Register an application
- Grant application permissions
- Create a client secret
Finally, modify the nginx.conf with your client_secret, client_id (application ID) and tenant ID.
Replace your own certificate in nginx\certs or create a self-sign certificate.
Run docker compose up to build the nginx image and start up all services.
Go to the engine cockpit and add a new user in your testing security system, be noticed that the user's name should match the ID Token claim configured in the nginx.conf which is forwarded in the header, in this sample it's id_token.email, so you need to use the user's email from the Azure system.
Now open your testing app, you will be redirected to Azure AD for authentication.
Upon successful login, you will be redirected to the Axon Ivy Engine with the user email passed in the :code:X-Forwarded-User header.