HashiCorp Cloud Platform
Azure Active Directory OIDC SSO Configuration
This page explains how to set up SSO in HashiCorp Cloud Platform (HCP) with the Azure Active Directory identity provider. Refer to SSO Overview for details about managing organizations with SSO enabled.
Configure SSO
Organization owners and admins can set up SSO.
To begin configuring SSO:
- Log in to HCP and go to your organization.
- Click Settings and then click SSO. The Single Sign-On page appears.
- Select OIDC SSO.
- Click Configure selected SSO method. The Setup OIDC SSO page appears where you will enter the required information for Okta.
- Assign a default organization role.
Verify Your Domain
You need a DNS record (secret value to set as TXT) to prove ownership of a domain. HCP uses the domain to match the email addresses for SSO. You must use different SSO domains for each HCP organization. If you try to reuse a domain name, the DNS connection request will fail.
To verify your domain:
- Copy the verification TXT record from the HCP SSO configuration to the DNS records of any email domains your organization uses.
- Return to the HCP Settings page and add your email address domains.
- Click Verify domains.
If the verification is successful, you can continue configuring SSO. If the request fails, your changes to the DNS records may not have propagated yet. It can take up to 72 hours.
OIDC Integration in Azure Active Directory
You must add information from the Initiate OIDC Integration section in HCP to the OIDC configuration for an Enterprise application in Azure Active Directory.
To add the required integration information in Azure Active Directory:
Log in to your Microsoft Azure portal and go to Azure Active Directory.
Click Properties and save your Tenant ID for later.
Under Manage, select Enterprise applications.
Click New application.
At the top of the Azure AD Gallery page, click Create your own application and enter a name.
Select Integrate any other application you don't find in the gallery (Non-gallery) and then click Create. You’ll be taken to the application overview screen.
You’ll need to register your application. Select Home in the breadcrumbs to go back to the Home screen.
Select Azure Active Directory.
In the menu, select App Registration.
Click New Registration.
On the Register an application page, give the application a name.
Set Supported account types to Accounts in this organizational directory only (Default Directory only - Single tenant).
Click Register.
Copy the Application (client) ID and save for later.
Click Add a Redirect URI.
Under Platform configurations, click Add a platform.
Select Web.
The Redirect URI is
https://flow.idp.hashicorp.com/sso/oidc/callback
.Under Implicit grant and hybrid flows, check:
- Access tokens (used for implicit flows)
- ID tokens (used for implicit and hybrid flows)
Click Configure.
Under Manage, select Certificates & secrets.
Click New client secret.
Give the secret a name and set the expiration date to your company's policy.
Create client credentials and Add Redirect URL. Select Add a secret.
Copy the Value.
Switch back to the HCP Portal OIDC page to enter the copied Client ID, Client Secret, Redirect URI and Issuer URL values.
Enter
https://login.microsoftonline.com/<YOUR_TENANT_ID>/v2.0
as the Issuer URL, substituting your Tenant ID for<YOUR_TENANT_ID>
, to finish the configuration.