With Microsoft Entra
You can set up MarkLogic Server to use the vendor Microsoft Entra (formerly Azure Active Directory) as your OAuth external agent.
To set up Microsoft Entra to properly interface with MarkLogic Server, noting, as you go along, the information that you will need later, follow these steps:
Register with Microsoft Entra to obtain a tenancy.
Create groups and users:
Create users through the Users page.
Create groups through the Groups page.
Note the group UUIDs. You will use these as external names during role configuration.
Add the created users to the proper groups.
Register your application with Microsoft Entra:
Note the Application ID URI for external security object configuration.
Note the Tenant ID for external security object configuration.
Customize the payload of the JWT Token to include groups by changing your application’s Manifest section optionalClaims field to this:
"optionalClaims": { "idToken": [ { "name": "groups", "source": null, "essential": false, "additionalProperties": [] } ], "accessToken": [ { "name": "groups", "source": null, "essential": false, "additionalProperties": [] } ], "saml2Token": [ { "name": "groups", "source": null, "essential": false, "additionalProperties": [] } ] }
Obtain public keys and their corresponding key IDs from Microsoft Entra:
Go to
https://login.microsoftonline.com/<your-tenant-UUID>/discovery/v2.0/keys
. On the page that appears, each entry in the keys array is a public key containing kid as the key ID.Convert each entry in the keys array from JWK to PEM format using any public access tool.
Note the key ID for external security object configuration.
Note the PEM-converted public key for external security object configuration.
Microsoft Entra is now set up to integrate with MarkLogic Server, and you have the information that you need to configure MarkLogic Server external security.
This table shows how the elements that you noted from Microsoft Entra map to fields on the MarkLogic Server External Security configuration page in the Admin Interface and to XQuery and REST API code schema elements. This table also includes the values used in the example setups:
Microsoft Entra element |
External Security configuration page field |
Schema element |
---|---|---|
Application ID URI EXAMPLE: |
OAuth Client ID |
|
Tenant ID EXAMPLE: |
OAuth JWT Issuer URI |
|
Name claim EXAMPLE: |
OAuth Username Attribute |
|
Groups claim EXAMPLE: |
OAuth Role Attribute |
|
JWT Secrets kid keys array EXAMPLE (one kid/keys pair): kid: keys: <PEM-converted key> |
OAuth JWT Secrets Secret Key ID Secret Value |
|
You will also assign Microsoft Entra group UUIDs to MarkLogic Server roles as external names. Microsoft Entra groups are analogous to MarkLogic Server roles.
EXAMPLE (of one): 7228762e-cb30-428a-ae1a-3a8cf9e2f728
Set up MarkLogic Server integration through one of the methods described in this section.