Skip to content

Login pipeline

Jump to bottom Edit New page
Kristoffer Hägelstam edited this page Nov 2, 2020 · 4 revisions

two primary ways of logging in

  • using email to determin tenant login provider
  • using subdomain to select tenant login provider manually

Login with email

To login using your email go to https://ateazephyr.com/login and enter your email.

  • domain is extracted from the specified email
  • domain is used to find a tenant that contains a login provider that is associated with the domain
  • user is redirected to the login provider (AzureAD or Auth0)
  • if the login is successful the user is redirected back to our api where we continue the login proccess

Login with subdomain

To login using a subdomain go to https://your-subdomain.ateazephyr.com or alternatively https://ateazephyr.com/login?tenant=your-subdomain

  • find tenant providers based on the specified subdomain
  • select the first login provider from the tenant providers
  • user is redirected to the login provider (AzureAD or Auth0)
  • if the login is successful the user is redirected back to our api where we continue the login proccess

Authentication via AzureAD

After you have entered your credentials and logged in to your AzureAd account you will be redirected back to out api where we continue the login proccess.

  • tenant is validated to allow login
    • trial date has not expired
    • tenant is active
    • terms of service has not expired
  • jwt token returned from auth0 login provider is decoded
  • email or upn is read from the jwt token
  • an api access token for microsoft graph api is loaded based on settings from login provider
    • if loading access token fails an error will be logged to telemetry as azuread-graphtoken
  • security groups are loaded for the email or upn using the access token
  • tenant access groups are validated using security groups
    • users are rejected if they do not have any of the access groups
  • try to load user details based on the email
  • if user details is not found a new user is created
    • event is logged to telemetry
    • approvers is selected from tenants default approvers
    • expire date is set based on tenants default expire data
    • name is read from jwt token
    • picture is read from jwt token
    • language is selected from tenants default language
    • startpage is selected from tenants default startpage
    • theme is selected from tenants default theme
    • timezone is selected from tenants default timezone
  • check tenant variables if user details should be synced
    • name is updated from jwt token
    • picture is updated from jwt token
  • user details is validated to allow login
    • name is updated from jwt token
    • upn is updated from jwt token (saved in metadata)
    • picture is loaded from the graph api and stored in our blob
    • manager is loaded from the graph api
      • user details is loaded based on manager email
      • if user details is not found a new user is created (same values are set as previously)
    • checks if any security groups are mapped to any roles
      • adds the mapped roles if the user has any of the associated security groups
  • new jwt token is generated (zephyr unique)
  • user is redirected to startpage

v2.9.9+
When syncing user details we will only load the manager for the user, we will not managers manager and so on.
It's simply not required anymore to load the entire azure ad hierarchy.
When the manager logs in their user details will be synced and their manager will be loaded and created.

The login requires the following azure application permissions:
Login user: Delegated User.Read
Read user picture: Application User.Read.All
Read user manager: Application User.Read.All
Read user security groups: Application Directory.Read.All

Authentication via Auth0

After you have entered your credentials and logged in to your Auth0 account you will be redirected back to out api where we continue the login proccess.

  • tenant is validated to allow login
    • trial date has not expired
    • tenant is active
    • terms of service has not expired
  • jwt token returned from auth0 login provider is decoded
  • email is read from the jwt token
  • try to load user details based on the email
  • if user details is not found a new user is created
    • event is logged to telemetry
    • approvers is selected from tenants default approvers
    • expire date is set based on tenants default expire data
    • name is read from jwt token
    • picture is read from jwt token
    • language is selected from tenants default language
    • startpage is selected from tenants default startpage
    • theme is selected from tenants default theme
    • timezone is selected from tenants default timezone
  • check tenant variables if user details should be synced
    • name is updated from jwt token
    • picture is updated from jwt token
  • user details is validated to allow login
    • user is active
    • user expire date has not expired
  • new jwt token is generated (zephyr unique)
  • user is redirected to startpage

Logging out

  • tenant login provider is selected based on user email
  • a request is send to the login provider to end the current user session, this will prompt the user to re-enter their credentials next time they login.
Add a custom footer
Clone this wiki locally