Azure AD Id Provider
Authenticate your users using Azure Active Directory This ID Provider uses the OAuth2 v2 endpoint of your Azure AD to authenticate users.
Acknowledgement
- Based on ADFS Id Provider
- Developed by Øyvind Nordli
Compatibility
| Version | XP Version | Download |
|---|---|---|
| 0.1.0 | >= 7.0.0 | Download |
| 1.0.0 | >= 7.0.0 | Download |
| 1.1.0 | >= 7.0.0 | Download |
| 1.2.0 | >= 7.0.0 | Download |
| 1.2.1 | >= 7.7.4 | Download |
| 1.2.2 | >= 7.7.4 | Download |
| 1.2.3 | >= 7.7.4 | Download |
| 1.2.4 | >= 7.7.4 | Download |
App Setup
Azure Application
Go to Portal Azure, and either create an app or use an existing one.
Can be found in Azure Active Directory -> App registrations -> New registration
You'll then need to add the redirect URI for your enonic XP instance to your Azure application. This can be found in the Authentication section of your app. Add a new Web platform and then add your url there, the url will most likely look something like https://${domain}/admin/tool/_/idprovider/${nameOfIdProvider}. You can add multiple redirect URIs if necessary.
If you want to auto import the users AD groups in Enonic you have to add some API permissions as well:
- Directory.Read.All
- Directory.ReadWrite.All
- Directory.AccessAsUser.All
Enonic XP
Install the Azure AD ID Provider app if you haven't already
Open up the User manage interface and add a new Id Provider. Give this Id Provider a name, and check that the path name of the Id Provider is the same as the last part of the redirect URI added to your application in Azure.
Add the Azure AD ID Provider to the Application field and press the small pencil to open up the settings.
- Tentant ID can be found in the overview page on your app in Azure as
Directory (tenant) ID. - Client ID can be found in the overview page on your app in Azure as
Application (client) ID. - Logout url is where you want to send the user if they press the logout button in XP. For Azure AD you'd most likely send them to the azure ad logout url, with your redirect url as a param. Remember to url encode the redirect url https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_redirect_uri=http%3A%2F%2Flocalhost%3A8080%2F or see https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc#send-a-sign-out-request for more info. You can also omit the post_logout_redirect_uri, and the app will try to make an educated guess, but this in not recommended.
- Client Secret has to be made in the
Certificates & secretssection under your application in Azure. - If you want to change the Azure AD -> Enonic XP user mapping, do so in the User Mappings (most likely not necessary).
- Remember to add the API permissions listed above if you want to create and update groups in Enonic XP based on the groups in Azure AD.
- If your Enonic XP server instance is hosted on https, you'll most likely need to check the
Force the redirect uri to use https, since XP itself doesn't know that it is using https if it's behind a reverse proxy of some sort.
Group Filtering
If you don't want to import all the users groups from Azure AD, it's possible to use group filters to accomplish this.
You can add multiple filters. Each filter takes 3 parameters:
property: This is the property that comes from the MemberOf graphApi for each group. List of properties
regexp: Which Regular Expression to run on the property
and: If you want to AND this with the previous filter.
Example:
property: description
regexp: \$XP\$
and: false
property: displayName
regexp: ^XP
and: false
property: id
regexp: 12345-12345-12345-12345
and: false
property: visibility
regexp: Public
and: true
This will then include groups with descriptions marked with $XP$, or groups with a display name starting with XP, or the group with id 12345-12345-12345-12345 where visibility is Public. So it's divided into 3 checks: 1 OR 2 OR (3 AND 4)
Events
The following events can be listed after using event library:
| Event type | Description |
|---|---|
custom.azure.user.login |
User logs in |
custom.azure.user.modify |
Local user is modified |
custom.azure.user.create |
Local user is created |
The Login event passes an object as parameter describing the user with these fields:
typekeydisplayNamedisabledemailloginidProvider
The Create event passes an object as parameter with the following fields:
idProvidernamedisplayNameemail
Example:
const eventLib = require("/lib/xp/event")
eventLib.listener({
type: "custom.azure.user.login",
callback: function(event) {
log.info(event.data.email);
}
})Build
To build this project, execute the following:
./gradlew clean buildDeploy to Jitpack
Go to the Jitpack page for app-azure-ad-idprovider to deploy from Github (after creating a new versioned release).