Entra SSO Setup (Azure AD)

This guide explains how to configure Microsoft Entra ID (formerly Azure Active Directory) as the identity provider for Nected. The process requires creating an application in Entra ID, configuring redirect URIs, generating credentials, and updating your nected-values.yaml for both Konark and Nalanda services.

Prerequisites

Before starting, confirm the following:

You have administrator access to the Azure Portal.
You have access to edit and deploy your Helm-managed Nected environment.
You know your Nected UI domain (example: https://nected-ui.example.com).

1. Open Microsoft Entra ID in Azure Portal

This opens the identity management panel where you will register your SSO application.

2. Open App Registrations

On the left sidebar, under Manage, select App registrations. This is where all new identity apps are created.

Once the page loads, click New registration.

3. Register a New Application

You will now configure the core SSO app that Nected will use for authentication.

Application Name

Enter a descriptive name such as:

nected-ui-sso

Supported Account Types

Choose the access level:

For most organizations: Accounts in this organizational directory only (Single tenant)
For multi-tenant use cases: Accounts in any organizational directory (Any Entra ID tenant)

The access type depends on how broad your user base is. Internal deployments typically use single-tenant.

Redirect URI

Set the redirect URI at the same time to avoid configuration drift.

Platform: Single-page application (SPA)
Redirect URI: https://<your-nected-ui-domain>

Example:

https://nected-ui.example.com

When done, click Register.

Azure will now create your application and assign a unique Application (client) ID.

4. Configure Client Secret

Once the app is created:

Go to:

Manage → Certificates & secrets → Client secrets

Select New client secret.

Choose an expiration period based on your security policies.

After creation:

Copy the Secret Value immediately. Azure never shows the value again once you leave the page.

The two important values you now have are:

Application (client) ID
Client Secret Value

5. Configure Nected (Konark + Nalanda)

The next step is passing the Entra SSO configuration into Nected’s services. Your Helm chart controls these values through nected-values.yaml.

Open the file in your deployment environment.

5.1. Update Konark Environment Variables

Konark handles the frontend application (Nected UI). Add the following values under:

Konark:
  envVars:

Insert:

# Authentication Configuration
VITE_ENABLE_MS_LOGIN: false
VITE_MICROSOFT_CLIENT_ID: "<Application (client) ID>"
VITE_MICROSOFT_TENANT_ID: common

Notes:

VITE_ENABLE_MS_LOGIN toggles the Microsoft login button in the UI.
common allows logins across Entra tenants.
Replace values with your own IDs.

5.2. Update Nalanda Environment Variables

Nalanda is responsible for backend authentication. Scroll to:

Nalanda:
  envVars:

Insert:

# mslogin
MICROSOFT_AUTH_ENABLED: "true"
MICROSOFT_CLIENT_ID: "<Application (client) ID>"
MICROSOFT_CLIENT_SECRET: "<Client Secret Value>"
MICROSOFT_TENANT_ID: common

Backend authentication requires the client secret, which is why this value is configured here and not in Konark.

8. Apply the Configuration

Upgrade your Helm release:

helm upgrade -i nected nected/nected -f nected-values.yaml

Restart the relevant deployments:

kubectl rollout restart deploy nected-konark nected-nalanda

This ensures both services load the updated environment variables.

9. Validate SSO

After deployments restart:

Open your Nected UI in the browser.
You should now see the "Continue with Microsoft" login option.
Authenticate using an Entra ID account allowed by your app settings.

If authentication works, your SSO is fully functional.

In case you need any kind of assistance while setting up the SSO, please contact us at [email protected]

10. Troubleshooting Guide

1. Redirect URI mismatch

Ensure the URI in Azure matches exactly with the domain configured in Konark.

2. Invalid client or secret

Verify the following environment variables inside Nalanda:

MICROSOFT_CLIENT_ID
MICROSOFT_CLIENT_SECRET

3. Token authorization failures

Confirm the app is set to Single-page application (SPA) and not Web or Native.

Check Konark:

VITE_ENABLE_MS_LOGIN: false   ← This controls frontend visibility

If needed, switch it to:

VITE_ENABLE_MS_LOGIN: true

You now have a fully configured Microsoft Entra ID integration with Nected—allowing your organization to authenticate users using secure enterprise-grade identity controls.

If you later extend access to multiple tenants, change redirect URIs, or enforce conditional access policies, these will propagate seamlessly through this setup.

PreviousSingle Sign-On (SSO)NextGoogle SSO Setup

Last updated 1 day ago

Prerequisites

1. Open Microsoft Entra ID in Azure Portal

2. Open App Registrations

3. Register a New Application

Application Name

Supported Account Types

Redirect URI

4. Configure Client Secret

5. Configure Nected (Konark + Nalanda)

5.1. Update Konark Environment Variables

5.2. Update Nalanda Environment Variables

8. Apply the Configuration

9. Validate SSO

10. Troubleshooting Guide

1. Redirect URI mismatch

2. Invalid client or secret

3. Token authorization failures

4. Login button not showing