Skip to main content

Connect with AzureAD

AzureAD Tenant as Identity Provider for ZITADEL

This guides shows you how to connect an AzureAD Tenant to ZITADEL.

info

In ZITADEL you can connect an Identity Provider (IdP) like an AzureAD to your instance and provide it as default to all organizations or you can register the IdP to a specific organization only. This can also be done through your customers in a self-service fashion.

Prerequisite

You need to have access to an AzureAD Tenant. If you do not yet have one follow this guide from Microsoft to create one for free.

AzureAD Configuration

Create a new Application

Browse to the App registration menus create dialog to create a new app.

Create an Application

info

Mare sure to select web as application type in the Redirect URI (optional) section. You can leave the second field empty since we will change this in the next step.

Create an Application

Configure Redirect URIS

For this to work you need to whitelist the redirect URIs from your ZITADEL Instance. In this example our test instance has the domain test-qcon0h.zitadel.cloud. In this case we need to whitelist these two entries:

  • https://test-qcon0h.zitadel.cloud/ui/login/register/externalidp/callback
  • https://test-qcon0h.zitadel.cloud/ui/login/login/externalidp/callback
info

To adapt this for you setup just replace the domain

Configure Redirect URIS

Create Client Secret

To allow your ZITADEL to communicate with the AzureAD you need to create a Secret

Create Client Secret

info

Please save this for the later configuration of ZITADEL

Configure ID Token Claims

Configure ID Token Claims

ZITADEL Configuration

Create IdP

Use the values displayed on the AzureAD Application page in your ZITADEL IdP Settings.

  • You can find the issuer for ZITADEL of your AzureAD Tenant in the Endpoints submenu
  • The Client ID of ZITADEL corresponds to the Application (client) ID
  • The Client Secret was generated during the Create Client Secret step

Azure Application

Create IdP

Activate IdP

Once you created the IdP you need to activate it, to make it usable for your users.

Activate the AzureAD

Active AzureAD

Test the setup

To test the setup use a incognito mode and browse to your login page. If you succeeded you should see a new button which should redirect you to your AzureAD Tenant.

AzureAD Button

AzureAD Login