From 8d3f5f1792fb353e90261a4f4194611e54bcb8e8 Mon Sep 17 00:00:00 2001 From: Riny Heijdendael Date: Tue, 23 Aug 2022 18:16:54 +0200 Subject: [PATCH] updated --- README.md | 35 +++++++++++++++++++++++++---------- 1 file changed, 25 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index d7e9b5c..8cb7673 100644 --- a/README.md +++ b/README.md @@ -8,32 +8,46 @@ locally defined users with an OAuth provider. Currently authentication with 2FA (TOTP and SMS) is already available. For some environments users want to have a single sign on experience. -Although strictly spoken this is not SSO, we can delegate the authentication of a user to an OAuth server. -The current version and documentation has been developed with Azure Active Directory in mind. +This extension delegates the authentication of a user to an OAuth server. +The current version and documentation has been developed and tested with Azure Active Directory in mind. ## Prerequisites: - an installed EspoCRM installation. - administration rights to install extensions - an OAuth authentication server, like Azure AD or similar. +- your usernames should be equal to the main (full) email address of the identity used. -# Install +# Install ( menu Administration > Extensions ) -- download the latest release of the extension +- lownload the latest release of the extension - login in EspoCRM with administrator credentials - install the extension in the administrative interface. -# OAuth Configuration +# OAuth Configuration ( menu Administration > Integrations > Azure ) - You will need to create an application in Azure AD. You will need to set the callback url to https://mysite.com/oauth-callback.php -- From this definition you will get the application ID, tenant ID, and client Secret. +- from this definition you will get the application ID, tenant ID, and client Secret. - Enter the details in the configuration -# Set up +# Set up ( menu Administration > Authentication ) -The extension can be set up to allow OAuth authenication for a single user, ?mixed?, or enforced for all users. ->> insert screenshot here +After the OAuth configuration, set up the authentication method to +Oauth. This will enable the OAuth setting panel. +You should select the Azure OAuth. Optionally you may force users to authenticate using OAuth. +When set up like this, you may both authenticate by OAuth and internal (ESPO) authentication. + +This allows you to test before you enforce it. + +Note: when testing, you cannot use dual authentication when 2FA is enabled for that user. + +For troubleshooting, set your loglevel in ESPO to "DEBUG" + +# Logging out + +** TODO ** Logging out will trigger a full logout: +https://docs.microsoft.com/en-us/azure/active-directory/develop/single-sign-out-saml-protocol # Furthermore @@ -44,10 +58,11 @@ The extension can be set up to allow OAuth authenication for a single user, ?mix ## Warnings and limitations - This code under review for security issues. -- This code is PoC level, not for production +- This code is PoC level, not yet ready for production - There is no authorisation mechanism for system or api users - Users will not be synchronised. Users should be available and defined within EspoCRM ## Future ideas - Forward AAD groups to match groups/teams in Espo +- store last token in Administration > Auth Log