The basic steps to enable oauth2 (OIDC) authentication for AMS are:

1. Secure your AMS server with TLS security.
2. Create the Azure application, service principal, and secret.
3. Add the AMS redirect URI to your Azure application.
4. Grant the Microsoft Graph User.Read permission to your Azure application.
5. Configure App Roles for your Azure Application (which map to privileges defined in your AMS server configuration).
6. Add the OpenIDConnectAuthenticationRealm to your AMS server configuration.

These steps are discussed in more detail below.

1. Secure your AMS server with TLS security. This is needed because your Azure application cannot redirect to a non-secure (http://) URL.

To enable TLS security, add the following settings in AMS.conf:
 

ClientAPIListener = {
        portNumber = ${ams.ClientAPIListener.portNumber:-2185}
        secure = ${ams.ClientAPIListener.secure:-true}
    }

    CommunicationSecurity = {
        keyStore = "/opt/certs/amskeystore.p12"
        keyStorePassword = "*****"
        keyPassword = "*****"
    }

..where 'amskeystore.p12' holds the certificate and private key for the AMS server host.

2. Create an Azure application, service principal and secret. This can be done in the Azure portal (portal.azure.com) or with the Azure command-line interface (az cli).

Ref: https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app#register-an-application

3. Add a redirect URI for your Azure application

Ref: https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app#add-a-redirect-uri

4. Grant the Microsoft Graph User.Read permission to your Azure application.

Ref: https://learn.microsoft.com/en-us/azure/healthcare-apis/register-application#api-permissions

5. Configure App Roles for your Azure application.

Ref: https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps

For example, create an App Role whose Value is 'AMSAdmin' to be consistent with the default admin role that is configured for AMS (see $STREAMBASE_HOME/ams/conf/AMS.conf under the RoleToPrivilegeMappings section)

6 Add the OpenIDConnectAuthenticationRealm to your AMS server configuration. For example:
 

OpenIDConnectAuthenticationRealm {
        IdentityToAMSProfileBinding = {
            bindAction = "AUTO_CREATE"
            autoCreateUsernameClaim = "email"
            autoCreateUserEnabled = true
            autoCreateDefaultRoles = "AMSAdmin"
            autoCreateFilters = [
                {
                    javaClass = "com.tibco.ep.ams.auth.AMSAutoCreateEmailFilter"
                    params = [
                        {
                            name = "domains"
                            value = "company.com"
                        }
                    ]
                }
            ]
        }
        IdentityProviders = {
            providers = [
                {
                    name = "AzureAD"
                    clientId = "57fdac31-baf5-****"
                    clientSecret = "Oz28Q~DxlpXO9*******"
                    issuer = "https://sts.windows.net/cde6fa59-abb3-******/v2.0/"
                    authorizationEndpoint = "https://login.microsoftonline.com/cde6fa59-abb3-*******/oauth2/v2.0/authorize" 
                    tokenEndpoint = "https://login.microsoftonline.com/cde6fa59-abb3-*******/oauth2/v2.0/token"
                }
            ]
        }
    }
...

AMSRealmList = [ OpenIDConnectAuthenticationRealm, LocalAuthenticationRealm ]

You may obtain the correct values for the domain parameter (as well as the options shown under the IdentityProviders section) from your Azure administrator.
 

This article outlines the steps needed to configure the Artifact Management Server (AMS) to use the OpenID Connect (OIDC) Authentication Realm to authenticate users. The example herein uses Azure Active Directory (AD) as the OIDC provider.