Skip to main content

Securing MarkLogic Server

With Microsoft Entra

You can set up MarkLogic Server to use the vendor Microsoft Entra (formerly Azure Active Directory) as your OAuth external agent.

To set up Microsoft Entra to properly interface with MarkLogic Server, noting, as you go along, the information that you will need later, follow these steps:

  1. Register with Microsoft Entra to obtain a tenancy.

  2. Create groups and users:

    1. Create users through the Users page.

    2. Create groups through the Groups page.

      • Note the group UUIDs. You will use these as external names during role configuration.

    3. Add the created users to the proper groups.

  3. Register your application with Microsoft Entra:

    • Note the Application ID URI for external security object configuration.

    • Note the Tenant ID for external security object configuration.

  4. Create a scope for your application.

  5. Customize the payload of the JWT Token to include groups by changing your application’s Manifest section optionalClaims field to this:

    "optionalClaims": {
        "idToken": [
            {
                "name": "groups",
                "source": null,
                "essential": false,
                "additionalProperties": []
            }
        ],
        "accessToken": [
            {
                "name": "groups",
                "source": null,
                "essential": false,
                "additionalProperties": []
            }
        ],
        "saml2Token": [
            {
                "name": "groups",
                "source": null,
                "essential": false,
                "additionalProperties": []
            }
        ]
    }

  6. Program your application to request this token.

  7. Obtain public keys and their corresponding key IDs from Microsoft Entra:

    1. Go to https://login.microsoftonline.com/<your-tenant-UUID>/discovery/v2.0/keys. On the page that appears, each entry in the keys array is a public key containing kid as the key ID.

    2. Convert each entry in the keys array from JWK to PEM format using any public access tool.

      • Note the key ID for external security object configuration.

      • Note the PEM-converted public key for external security object configuration.

Microsoft Entra is now set up to integrate with MarkLogic Server, and you have the information that you need to configure MarkLogic Server external security.

This table shows how the elements that you noted from Microsoft Entra map to fields on the MarkLogic Server External Security configuration page in the Admin Interface and to XQuery and REST API code schema elements. This table also includes the values used in the example setups:

Microsoft Entra element

External Security configuration page field

Schema element

Application ID URI

EXAMPLE: https://testorganazation.onmicrosoft.com/63e66e0c-ed73-4db3-abb7-4faffa154445

OAuth Client ID

sec:oauth-client-id

Tenant ID

EXAMPLE: https://sts.windows.net/3fc33f01-1894-4196-b81f-54417daac155/

OAuth JWT Issuer URI

sec:oauth-jwt-issuer-uri

Name claim

EXAMPLE: name

OAuth Username Attribute

sec:oauth-username-attribute

Groups claim

EXAMPLE: groups

OAuth Role Attribute

sec:ouath-role-attribute

JWT Secrets

          kid

          keys array

EXAMPLE (one kid/keys pair):

kid:

          XRvko8P7A3UaWSnU7bM9nT0MjhA

keys:

          -----BEGIN PUBLIC KEY-----

          <PEM-converted key>

          -----END PUBLIC KEY-----

OAuth JWT Secrets

          Secret Key ID

          Secret Value

sec:oauth-jwt-secrets

          sec:oauth-jwt-key-id

          sec:oauth-jwt-secret-values

You will also assign Microsoft Entra group UUIDs to MarkLogic Server roles as external names. Microsoft Entra groups are analogous to MarkLogic Server roles.

EXAMPLE (of one): 7228762e-cb30-428a-ae1a-3a8cf9e2f728

Set up MarkLogic Server integration through one of the methods described in this section.

In this section: