Joomla OAuth Client Integration with Microsoft Entra ID Single Sign-On (SSO)

Overview

Single Sign-On (SSO) with Microsoft Entra ID (Azure AD) in Joomla uses OAuth Authorization to provide users secure access to the Joomla site. With our Joomla OAuth Single Sign-On (SSO) plugin, Microsoft Entra ID (Azure AD) acts as the OAuth provider, ensuring secure login for Joomla websites.

The integration of Joomla and Microsoft Entra ID (Azure AD) simplifies and secures the login process using OAuth protocol. This solution allows users to access their Joomla sites with Single Sign-On (SSO) using their Microsoft Entra ID (Azure AD) credentials, completely removing the need to store, remember, and reset multiple passwords.

In addition to offering OAuth Single Sign-On (SSO) using Microsoft Entra ID credentials, the plugin also provides advanced SSO features like user profile attribute mapping, role mapping, and Azure multi-tenant login and providing site access based on organization roles. For further insights into the array of features we offer within the Joomla OAuth & OpenID Connect Client plugin, kindly visit our page here. You can follow the below steps to setup Microsoft Entra ID (Azure AD) OAuth SSO with Joomla.

To setup OAuth Single Sign-On between Joomla and Microsoft Entra ID, you can also follow this step by step Setup Video.

Configuration Steps

In this configuration, Microsoft Entra ID functions as the OAuth server, while Joomla allows users to log in with their Microsoft Entra ID credentials by utilizing the Joomla OAuth Client Plugin.

Step 1: Install Joomla OAuth Client Plugin

Login into your Joomla site’s Administrator console.
From left toggle menu, click on System, then under Install section click on Extensions.
Now click on Or Browse for file button to locate and install the plugin file downloaded earlier.
Installation of plugin is successful. Now click on Get Started!
Under Configure OAuth -> Pre-Configured Apps tab, select your OAuth Provider. You can also search for custom OAuth or custom OpenID application in the search bar, and configure your own custom provider.

After selecting your OAuth provider, you will be redirected to the Step 1 [Redirect URL] tab. Now copy the Callback/Redirect URL which we will use to configure Microsoft Entra ID as OAuth Server, then click on the Save & Next button.

Step 2: Configure Microsoft Entra ID as OAuth Server

Log into the Azure Dashboard.
Click on Microsoft Entra ID under Azure services.

In the left-hand navigation pane, click the App registrations, and click on New registration.

When the Create page appears, enter your application's registration information:

Name:	Name of your application.
Application type:	Select "Native" for client applications that are installed locally on a device. This setting is used for OAuth public native clients. Select "Web app / API" for client applications and resource/API applications that are installed on a secure server. This setting is used for OAuth confidential web clients and public user-agent-based clients. The same application can also expose both a client and resource/API.
Sign-on URL:	For "Web app / API" applications, provide the base URL of your app. eg, https://<domain-name>/mo_login might be the URL for a web app running on your local machine. Users would use this URL to sign in to a web client application. For "Native" applications, provide the URI used by Azure AD to return token responses. Enter a value specific to your application. eg, https://localhost/joomla

Under Redirect URL, select Web from the dropdown and enter the Callback URL copied earlier in the given field. Then, click on the Register button to register the new application.

Step 3: Configure Client ID & Secret

Now go to the Overview tab of your registered application. Here, copy the Application ID and the Directory ID, this will be your Client ID and Tenant ID respectively.

Go to Certificates and Secrets from the left navigation pane and click on New Client Secret. Enter description and expiration time and click on Add option.

Copy value. This will be your Client Secret.

Go back to your Joomla Dashboard. Then go to Step 2 [Client ID & Secret].
Paste the Client ID, Client Secret and Domain. Also Set Client Credentials In header then click on Save Settings. Once Settings are saved then click on Save Configuration.

If you want to Enable Scopes, you can follow the following steps:

Go to Application -> Select the application where you want to enable scopes. Now, Go to the API Permissions tab.

Click on the Add permission button, and then Microsoft Graph API -> Delegated Permissions and select openid, Profile scope and click on the Add Permissions button.

Click on the Grant admin consent for Default Directory button.

Scope	Openid email Profile
Authorize Endpoint	https://login.microsoftonline.com/[tenant-id]/oauth2/v2.0/authorize
Access Token Endpoint	https://login.microsoftonline.com/[tenant-id]/oauth2/v2.0/token
Get User Info Endpoint	https://graph.microsoft.com/beta/me
Set Client Credentials	In Both (In Header and In Body)

Step 4: Configure Attribute Mapping

User Attribute Mapping is mandatory for enabling users to successfully login into Joomla. We will be setting up user profile attributes for Joomla using below settings.
Go to Step 3 [Attribute Mapping] tab and click on Test Configuration button.

You will be able to see the attributes in the Test Configuration output as follows.

Now go to the Step 3 [Attribute Mapping] tab and Select the attribute name for Email and Username from dropdown. Then click on Finish Configuration button.

Step 5: Setup Login/SSO URL

Now go to Step 4 [SSO URL] tab, here copy the Login/SSO URL and add it to your Site by following the given steps.

Now logout and go to your Joomla site's pages where you have added this link. You will see a login link where you placed that button. Click on this button to perform SSO.

Contents

Joomla OAuth Client Integration with Microsoft Entra ID Single Sign-On (SSO)