Configure Celery SSO using OpenID Connect with Azure AD/ Microsoft Entra ID
Once you have completed this configuration, your users can sign in to Celery using their Azure AD login.
Note Azure AD is Microsoft Entra ID. But the usage of Azure AD is common. In this document, wherever you see Azure AD, rest assured we mean Microsoft Entra ID as well.
Here's a diagram of the login flow between:
- The user
- Celery applications
- Celery Identity Service
- Azure AD
Although this looks complex, the user only sees a few screens, such as the Celery login screen and the Azure AD login screen.
Register a New Azure Active Directory Application
You will first need to login to the Azure Portal.
Once logged in, navigate to Azure Active Directory -> App Registrations -> New Registration to create a new Azure Active Directory Application.
Here, we have configured our application Redirect URI. The value should be https://login.celerypayroll.com/oauth2/callback.
Once the application has been created, note the Application (client) ID and the Directory (tenant) ID. These will be used respectively as the Client Id value and to construct the Issuer value in your Celery OpenID Connect Identity Provider configuration.
Enable Azure Active Directory API permission
Navigate to Azure Active Directory -> App Registrations -> [Your Application] -> Manage -> API Permissions -> Add a permission to create a new Azure Active Directory permission.
Choose the Microsoft Graph API and Delegate permissions. Enter User.Read in the search field and enable the User.Read permission.
Create a New Azure Active Directory Application Secret
Navigate to Azure Active Directory -> App Registrations -> [Your Application] -> Manage -> Certificates & secrets -> New client secret to create a new Azure Active Directory Application Client Secret.
Note the Value of the created client secret during the creation process. This will be used as the Client secret value in your Celery OpenID Connect Identity Provider configuration.
Send Azure Active Directory values to Celery
Send the Application (client) ID, the Directory (tenant) ID, the value from the Client Secret and the desired SSO domains to Celery to finalize the SSO setup.