Skip to main content
Skip table of contents

Configuration and use in signoSign/Universal

Customization of settings.properties

In signoSign/Universal, the authentication must be adjusted in settings.properties.

The following settings must be used.

XML
auth.type=OIDC
auth.oidc.discoveryUrl=https://login.microsoftonline.com/{Directory-ID}/v2.0/.well-known/openid-configuration
auth.oidc.clientId=faa4573c-XXXX-XXXX-XXXX-947122168558
auth.oidc.tokenAudience=api://faa4573c-XXXX-XXXX-XXXX-47122168558
auth.oidc.clientSecret=nnl7Q~8J1aGzX6o3dasHAVa0XXXXXXXX-XXXX
auth.oidc.scope=openid email api://faa4573c-XXXX-XXXX-XXXX-947122168558/sso-example-scope
auth.oidc.tokenIssuer=https://login.microsoftonline.com/{Directory-ID}/v2.0,https://sts.windows.net/{Directory-ID}/

These are invalid example values. The actual values must be taken from the created application!

Explanations of the settings:

  • The “auth.type” authentication is set to “OIDC.”

  • The “discoveryUrl” can be taken from the endpoints of the app registration.

image-20250203-075434.png

The URL to the “OpenID Connect metadata document” endpoint
is required.

  • The “clientId” and “tokenAudience” can be found in the app registration overview.

    image-20250203-075454.png
  • You have previously created and cached the “clientSecret.”

  • You have already created the “scope.” The URI is preceded by “openid” and “email.”
    Example: openid email api:// faa4573c-XXXX-XXXX-XXXX-XXXX-947122168558/sso-example-scope

  • As “tokenIssuer” you configure the token issuer of your Microsoft Entra ID. At present, Microsoft has two issuers (old and new):
    V1: https://sts.windows.net/{Directory-ID}/
    V2: https://login.microsoftonline.com/{Directory-ID}/v2.0

  • The “Directory ID” is the directory ID of your Microsoft Entra ID subscription. This can be taken from the Azure portal settings or the above-mentioned “discoveryUrl.” The two URIs are configured comma-separated as the value for the property.

If you want to use single sign-on with the signoSign/Universal Document Pool, the “web.ssmpublicurl” must also be configured. This must match the redirection URI from the app registration!

Registration in the application

As soon as you have made all the settings in Microsoft Entra ID and in signoSign/Universal, you can log in with your user via SSO.

If you are already logged in via SSO in your browser and you call the signoSign/Universal document management(https://YOUR-DOMAIN.COM/signoSignUniversal/pool), you will be logged in automatically.

If you are not yet logged in, but SSO has been configured as a login, you will be automatically redirected to the Microsoft login.

Login to the REST API

Using the REST API is basically identical to logging in with a user name and password. An “Access Token” from OpenID Connect is transferred to the POST/instancetoken method instead of the user data. As usual, you will then receive the instance token for further use of the REST API. The “Access Token” is, as usual, generated via an OpenID Connect flow.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.