Microsoft Entra ID

Autoform DM SSO supports the use of Microsoft Entra ID as the IdP.

Microsoft Entra ID

Autoform DM uses Microsoft Entra ID to:

• Manage user authentication.

• Maintain users’ memberships of the Microsoft Entra ID groups (and depending on the security model used, possibly also app roles) that via Keycloak ultimately control users’ access to Autoform DM.

App Registration

An app registration represents Autoform DM. However, that app registration is configured (through its Redirect URI) to return responses to Keycloak. This app registration allows Keycloak to communicate with the tenant directory that will provide authentication and identity services.

The app registration provides the client ID and secret that secures communication between Keycloak and Microsoft Entra ID.

The app registration has limited scope within the tenant and is used only to query and retrieve a user’s details after they authenticate. A generated identity token is passed back to KeyCloak.

If a role-mapped security model is used (to manage Autoform DM security group memberships), the app registration defines app roles for the app.

When using multi-tenancy, the app registration only needs to be done in the master tenant in which the Autoform DM application is located. One app registration can be shared across multiple tenants by provisioning the enterprise app in other client tenants.

Enterprise App

An enterprise app (linked to the app registration described above) enables the management of user access to Autoform DM through group memberships (and app roles, if applicable). These memberships are described in the token that Microsoft Entra ID passes to Keycloak.

The enterprise app is listed on an Entra ID user’s My applications page, to make it easy for them to access Autoform DM.

In a multi-tenancy setup, enterprise apps are created in each “client tenant” by explicitly provisioning the enterprise app there in advance, or they are created when needed when a user signs in.