Connect Azure AD with GoRules BRMS.
1. Create an Enterprise Application in Azure AD
- Log in to the Azure portal and navigate to Entra ID.
- Select Enterprise applications and then click on New application.
- Click Create your own application
- Choose Register an application to integrate with Microsoft Entra ID (App you're developing) and provide a name for the application (e.g., GoRules BRMS DEV).
- Next, in Supported account types, select Accounts in this organizational directory only (Default Directory Only - Single tenant).
- In Redirect URI section, for select platform chose Web from the dropdown and enter app_url/oauth/azure where your self-hosted BRMS is hosted for example at https://gorules-dev.your-company.com and the complete URI would be https://gorules-dev.your-company.com/oauth/azure.
- After creation, navigate to the application's overview page, navigate to the Single sign-on menu and click on Go to application to open App registrations experience
- From the new page copy and save Application (client) ID for later use.
2. (Optional) Add Azure AD Group Claims
- In the Apps registration experience for the application open Token configuration section.
- Click on Add group claim to include group membership information in the token.
- Configure the claims according to your organization's requirements (e.g., include groups assigned to the application and for Access and ID select sAMAccountName). and press Save.
3. Create Credentials for the Enterprise Application
- In the Apps registration experience for the application open Certificates & secrets.
- Under Client secrets, click New client secret.
- Add a description for the secret, set an expiry period, and click Add.
- Once created, copy and save the client secret value for later use (Note: It will not be visible again after you leave this page).
4. Copy endpoints
- In the Apps registration experience for the application, in the section Overview click on the Endpoints.
- Copy
- OAuth 2.0 authorization endpoint (v2)
- OAuth 2.0 token endpoint (v2)
- For a Single tenant setup copy Authority / Tenant Endpoint: e.g. https://login.microsoftonline.com/TENANT_ID
5. Configure GoRules BRMS Environment Variables
To configure Azure AD SSO you will need to add Environment Variables for the BRMS. Table below represents environment variable mapping.
| BRMS Environment Variable | Azure SSO Mapping |
|---|---|
SSO_OAUTH2_PROVIDER | azure |
SSO_OAUTH2_CLIENT_ID | CLIENT_ID from Step 1.8. |
SSO_OAUTH2_CLIENT_SECRET | CLIENT_SECRET from Step 3.4. |
SSO_OAUTH2_SCOPES | openid email profile |
SSO_OAUTH2_AUTH_URL | AUTH_ENDPOINT from Step 4.2.1. |
SSO_OAUTH2_TOKEN_URL | TOKEN_ENDPOINT from Step 4.2.2. |
SSO_OAUTH2_AUTHORITY_URL | AUTHORITY_URL - from Step 4.3. important for a single tenant setup |
APP_URL | _app_url_ for example https://gorules-dev.your-company.com |
EMAIL_ENABLED | false |
Upon setting configuration you will need to restart BRMS for changes to take effect.
6. Optional Environment Variables
To configure group mapping use SSO_OAUTH2_GROUPS_MAPPING variable and add groups into scopes.
| BRMS Environment Variable | Azure SSO Mapping |
|---|---|
SSO_OAUTH2_GROUPS_MAPPING | 77777777-7777-7777-7777-7777777777777->admin,88888888-8888-8888-8888-888888888888->admin,55555555-5555-5555-5555-5555555555555->author |
SSO_OAUTH2_SCOPES | openid email profile groups |
Mapping is represented as {{azure_group_uuid}}->{{brms_role}} comma , separated with the next mapping.
There are 4 levels of global permissions: owner, admin, author, and member.
Multiple groups can map to the same role.
Group uuid is unique group id from Entra ID, if variable is not set, permissions will be managed from inside BRMS. If variable is set and existing user is not found in the mapping string, user will be added to the
membergroup.