Set up an Azure Active Directory OIDC Connection

Stytch's Single Sign On (SSO) product allows your customers to log into your application via third party Identity Providers, like Azure Active Directory (Azure AD). In this guide, you'll learn how to configure an Azure AD OIDC SSO connection, which is something that your customers will need to complete before their team members will be able to log into your application via SSO.

If you're interested in setting up an Azure AD SAML SSO connection instead, see our Set up an Azure Active Directory SAML Connection guide.

By the end of this guide, you'll have:

  • a new Azure AD OIDC Connection that is fully configured and ready for use.
  • a new Azure AD application that can be used to provision access to your application.
  • a Stytch B2B implementation that can use SSO for authentication.

Before you start

  • Create a Stytch B2B project via the Stytch Dashboard if you don't have one already. To do so, click on your existing project name in top left corner of the Dashboard, click Create a new project, and then select B2B Authentication.
  • Copy your project_id and secret from the Test environment tab in the API keys section of the Stytch Dashboard. You'll need to include these values in every backend Stytch API call.
  • Create a new Organization by calling our Create an Organization endpoint:
curl --request POST \
	--url https://test.stytch.com/v1/b2b/organizations \
	-u 'PROJECT_ID:SECRET' \
	-H 'Content-Type: application/json' \
	-d '{
		"organization_name": "Example Org Inc.",
		"organization_slug": "example-org"
	}'

Step 1: Create a new OIDC connection

Call our Create OIDC Connection endpoint in order to create a new OIDC Connection. Include the organization_id that you'd like the Connection to belong to and a display_name for the Connection like "Azure AD".

curl --request POST \
	--url https://test.stytch.com/v1/b2b/sso/oidc/{ORGANIZATION_ID} \
	-u 'PROJECT_ID:SECRET' \
	-H 'Content-Type: application/json' \
	-d '{
	  "display_name": "Azure AD"
	}'

Save the redirect_url and connection_id values from the connection object in the Create OIDC connection response for use in Step 2, where you'll use those values to configure a new Azure AD Application, and later in Step 4.

Step 2: Create and configure a new Azure AD application

  1. Log into portal.azure.com and select the Azure Active Directory service:

    Azure Active Directory button in Azure

  2. Navigate to the App registrations tab and click New registration:

    App registrations tab in Azure

  3. Input the name of your application in the Name field. For the purposes of this guide, under Supported account types select Accounts in this organizational directory only (Default Directory only - Single tenant). Do not specify any Redirect URI values at this point. Click Register.

  4. Navigate to the Authentication tab. Under Platform configurations, click Add a platform:

    Add a platform button in Azure

  5. Select Web, and then input the redirect_url value from Step 1 in the Redirect URIs field. You do not need to input any Front-channel logout URL values, and the two token types (Access tokens and ID tokens) under Implicit grant and hybrid flows should remain unchecked. Click Configure.

Now that you've created and configured a new Azure AD application, you're ready to update the SSO Connection from Step 1 with additional data surfaced by Azure AD.

Step 3: Retrieve values from Azure AD to configure your OIDC Connection

Navigate to the Certificates & secrets tab and select New client secret:

New client secret button in Azure

Enter a description of your new secret key, select your desired secret expiration length, and click Add. Copy the new secret's Value for use in Step 4.

Next, navigate to the Overview tab and copy the Application (client) ID value for use in Step 4:

Overview tab in Azure

Finally, click Endpoints and copy the OpenID Connect metadata document URL:

Endpoints tab in Azure

Navigate to the OpenID Connect metadata document URL in your browser, and copy the issuer value for use in Step 4:

Azure issuer value

Step 4: Call the Update OIDC Connection endpoint

In addition to the information from Azure AD in Step 3, you'll also need the organization_id and connection_id from Step 1.

Using those values, your call to our Update OIDC Connection endpoint should look like this:

curl --request PUT \
	--url https://test.stytch.com/v1/b2b/sso/oidc/{ORGANIZATION_ID}/connections/{CONNECTION_ID} \
	-u 'PROJECT_ID:SECRET' \
	-H 'Content-Type: application/json' \
	-d '{
		"client_id": "{CLIENT_ID}",
		"client_secret": "{SECRET}",
		"issuer": "{ISSUER}"
	}'

When you provide an issuer value in an Update OIDC Connection request, Stytch will automatically infer the authorization_url, token_url, jwks_url, and userinfo_url values for your OIDC Connection (when available), and you will not need to explicitly provide them.

After a successful Update OIDC Connection call, both your Azure AD Application and your OIDC Connection will be fully configured.

You should now be able to complete an SSO login flow via our Start SSO login flow and Authenticate SSO login endpoints using your new Azure AD Connection!

What's next

Build a user interface that allows users to initiate the SSO login flow. You'll also need a page to handle the redirect back to your application at the end of the SSO flow.

Clone our B2B Next.js example app for helpful templates that can get you started quickly. Also check out our interactive B2B demo app to see the app in action.