Skip to main content

Requirements

  • Azure account
  • API_URL of the Hoop gateway instance
Contact the administrator of the hoop gateway instance to retrieve the API_URL address.

Identity Provider Configuration

1

Create an Application

Login with your account at https://portal.azure.com/
  • Go to Microsoft Entra ID > App Registration.
  • Pick a name, and select the Supported account types as you see fit
  • Register the application with {API_URL}/api/callback as the redirect URI.
We recommend using the option single tenant option for Supported account types. This will allow selecting exactly what groups to propagate to this application. This option is also required to propagate cloud-only groups as names (see more details below).
Ensure default delegated permissions: User.Read for sign in and read user profiles and email to view user’s email address.
These attributes are typically created by default. If errors occur, ensure these options are set correctly.
2

Create the Client Credentials

  • Go to App Registration > {AppName}
  • In the overview page, copy the Application (client) ID value. This is the Client ID.
  • Go to Certificate & Secrets > Client Secrets > New Client Secret
  • Copy the Secret Value. This is the Client Secret
3

Collect Issuer and Custom Scopes Information

The Issuer URL:
  • Go to App registration > {AppName} > Overview
  • Copy the Directory (tenant) ID and compose the URL: https://login.microsoftonline.com/{tenant_id}/v2.0
The Custom Scopes value:
  • Use the Client ID to compose it: {CLIENT_ID}/.default

Configure Hoop Gateway

Go to Integrations > Authentication and fill in:
  • Auth Method: OIDC
  • Issuer URL: https://login.microsoftonline.com/{tenant_id}/v2.0
  • Client ID: the Application (client) ID from above
  • Client Secret: the Secret Value from above
  • Scopes: {CLIENT_ID}/.default
  • Groups Claim: groups

Configuring Groups Claims

The integration relies on groups propagated in the id_token. By default, Azure Entra ID propagates them in the groups claims. The gateway needs to be configured to match the claim name of the groups. This configuration will ensure to sync the groups when a user authenticates on Hoop.
It’s possible to inspect the name of the claim that’s being propagated by viewing the logs of the gateway when a user sign in.
By default the gateway uses the claim name groups. To change it, go to Integrations > Authentication and include a distinct group.
By default, groups are propagate with their object ids. It may be cumbersome to manage groups as UUIDs on Hoop. See the section below to propagate them with their display name instead.
When you configure groups to sync, you’ll lose admin access on the next sign-in unless your Azure group maps to the configured admin role name. Update the Admin Role Name in Integrations > Authentication to match the Azure group name or object ID you want as admin before signing in again. The group identifier depends on whether you propagate groups as object IDs or display names (see below).

Propagating Groups as Names

It’s possible to propagate groups with their display names for cloud groups.
  • Click on Manifest
  • Edit the item groups under optionalClaims.idToken and optionalClaims.accessToken attributes and add the name cloud_displayname
  • Make sure that groupMembershipClaims is set to ApplicationGroup
(...)
  "groupMembershipClaims": "ApplicationGroup",
  (...)
  "optionalClaims": {
    "idToken": [
      {
        "name": "groups",
        "source": null,
        "essential": false,
        "additionalProperties": [
          "cloud_displayname"
        ]
      }
    ],
    "accessToken": [
      {
        "name": "groups",
        "source": null,
        "essential": false,
        "additionalProperties": [
          "cloud_displayname"
        ]
      }
    ],
    (...)
  • Click on Save
This option only works when group groupMembershipClaims is set to ApplicationGroup. and after assigning the groups to this application.
Be aware that names are not unique and this may cause conflict when propagating groups. Object IDs are a more safer approach to avoid such problems.
For other kind of groups it’s possible to append additional properties as sam_account_name, dns_domain_and_sam_account_name or netbios_domain_and_sam_account_name.

Assign Groups to Application

  • Go to Enterprise Application > {AppName} > User and Groups > Add user/group
  • Select the desired groups and click on Select
  • Click on Assign
This option requires an AD subscription that allows assigning groups to application.
References:

Machine to Machine Access (M2M)

Available on version 1.17.14+
It is possible to access hoop by issuing access tokens using the Oauth2 Client Credentials Flow. The gateway validates and authenticates any access token generated by the app registered in Azure, provided that a service account is active on hoop. The only requirement is that the service account has the same Object ID as the application, which serves as its main identifier.
Authentication only occurs when a token is issued by the identity provider. The service account resource simply maps the subject to identify who is accessing the API.

Creating a Service Account

To obtain the Object ID of the application navigate to: Azure Portal > Microsoft Entra ID > Enterprise Applications.
curl -X POST {API_URL}/api/serviceaccounts \
  -H "Api-Key: {API_KEY}" \
  -H "Content-Type: application/json" \
  -d '{
    "subject": "<azure-app-object-id>",
    "name": "My Service Account",
    "status": "active",
    "groups": ["admin"]
  }'

Creating an Access Token

  1. Go to App Registrations > Certificate & Secrets > New Client Secret and copy the secret value.
  2. Generate an access token from Azure: 
curl -X POST \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "client_id=<APP_CLIENT_ID>" \
  -d "scope=<APP_CLIENT_ID>/.default" \
  -d "client_secret=<APP_CLIENT_SECRET>" \
  -d "grant_type=client_credentials" \
  https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/token
  • APP_CLIENT_ID: the client ID of the application
  • APP_CLIENT_SECRET: the client secret from step 1
  • TENANT_ID: the tenant ID of your Azure instance
For more information, see this guide.
  1. Verify access with the Hoop API:
curl {API_URL}/api/userinfo \
  -H "Authorization: Bearer <ACCESS_TOKEN>"
If you receive a 401, ensure the subject of the access token (the application’s Object ID) matches the subject used when creating the service account.