Skip to main content

Entra ID Sign-in

This guide provides instructions on configuring Entra ID (formerly Azure AD) authentication for the Exchange API Vault.
By integrating with Entra ID, you can leverage centralized identity management and secure access control for your Exchange API Vault deployment.

1. Register 3 Applications in Entra ID

To enable Entra ID authentication, you need to register three applications in your Entra ID tenant, one for each Vertex node in your MPC cluster.

Info

Three separate applications need to be registered in Entra ID, one for each Vertex node in your MPC cluster, in order to preserve the distributed security model of the MPC cluster.
The user experience will remain seamless, as the Exchange API Vault frontend UI will take care of authenticating against all three applications behind the scenes, the user will only need to authenticate once.

Registering an Application

It is recommended to follow the official Microsoft guide here.

At a high level, the steps are as follows:

  1. Sign in to the Entra Admin Center using an account with the necessary permissions to register applications (Application Developer permissions).
  2. Navigate to Entra ID > App registrations > New registration.
  3. Provide a name for the application (e.g., SodotNode1, SodotNode2, SodotNode3).
  4. Set the Supported account types to your preference (e.g., single tenant or multi-tenant). For most use cases within an organization, "Accounts in this organizational directory only" is sufficient.
  5. (Optional) Specify a Redirect URI as shown in the next section.
  6. Click Register to create the application.
  7. You will now be able to see the Application (client) ID and Directory (tenant) ID. Make sure to note these down as they will be needed later.

You will need to repeat this process to create a total of three applications, one for each Vertex node in your cluster.

Note: All 3 applications should be created in the same tenant ID.

2. Configure Redirect URIs for Each Application

After registering the applications, you need to configure the redirect URIs for each application.
The redirect URI is where Entra ID will send authentication responses.
When configuring the redirect URIs the type of platform should be set to Single Page Application (SPA). This should be set to the URL of the Exchange API Vault frontend UI (e.g., https://your-exchange-api-vault-frontend-url.com/auth/callback).
In case of local development, you can also set a local endpoint (e.g. http://localhost:3000/auth/callback) as a valid redirect URI.

The official Microsoft guide for configuring redirect URIs can be found here.

3. Enable ID Token Implicit Grant

  1. In the Entra Admin Center, navigate to Entra ID > App registrations.
  2. Select the application you want to configure.
  3. Under Authentication, find the Implicit grant and hybrid flows section.
  4. Enable the ID tokens option.
  5. Click Save.

Summary

You should now have:

  • 3 registered applications in Entra ID, one for each Vertex node in your MPC cluster.
    • 3 Application (client) IDs - 1 for each Vertex node.
    • 1 Directory (tenant) ID - same for all 3 applications.
  • Configured redirect URIs for each application pointing to your Exchange API Vault frontend UI (or the desired redirect URI for a yet-to-be-deployed frontend UI).

The client IDs and tenant ID will be used during the deployment of the Exchange API Vault to enable Entra ID authentication.