Skip to content
This repository has been archived by the owner on Apr 1, 2024. It is now read-only.

updated #4

Merged
merged 1 commit into from
Aug 23, 2022
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
35 changes: 25 additions & 10 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,32 +8,46 @@ locally defined users with an OAuth provider.

Currently authentication with 2FA (TOTP and SMS) is already available.
For some environments users want to have a single sign on experience.
Although strictly spoken this is not SSO, we can delegate the authentication of a user to an OAuth server.
The current version and documentation has been developed with Azure Active Directory in mind.
This extension delegates the authentication of a user to an OAuth server.
The current version and documentation has been developed and tested with Azure Active Directory in mind.

## Prerequisites:

- an installed EspoCRM installation.
- administration rights to install extensions
- an OAuth authentication server, like Azure AD or similar.
- your usernames should be equal to the main (full) email address of the identity used.

# Install
# Install ( menu Administration > Extensions )

- download the latest release of the extension
- lownload the latest release of the extension
- login in EspoCRM with administrator credentials
- install the extension in the administrative interface.

# OAuth Configuration
# OAuth Configuration ( menu Administration > Integrations > Azure )

- You will need to create an application in Azure AD. You will need to set the callback url to https://mysite.com/oauth-callback.php
- From this definition you will get the application ID, tenant ID, and client Secret.
- from this definition you will get the application ID, tenant ID, and client Secret.
- Enter the details in the configuration

# Set up
# Set up ( menu Administration > Authentication )

The extension can be set up to allow OAuth authenication for a single user, ?mixed?, or enforced for all users.
>> insert screenshot here
After the OAuth configuration, set up the authentication method to
Oauth. This will enable the OAuth setting panel.
You should select the Azure OAuth. Optionally you may force users to authenticate using OAuth.

When set up like this, you may both authenticate by OAuth and internal (ESPO) authentication.

This allows you to test before you enforce it.

Note: when testing, you cannot use dual authentication when 2FA is enabled for that user.

For troubleshooting, set your loglevel in ESPO to "DEBUG"

# Logging out

** TODO ** Logging out will trigger a full logout:
https://docs.microsoft.com/en-us/azure/active-directory/develop/single-sign-out-saml-protocol

# Furthermore

Expand All @@ -44,10 +58,11 @@ The extension can be set up to allow OAuth authenication for a single user, ?mix
## Warnings and limitations

- This code under review for security issues.
- This code is PoC level, not for production
- This code is PoC level, not yet ready for production
- There is no authorisation mechanism for system or api users
- Users will not be synchronised. Users should be available and defined within EspoCRM

## Future ideas

- Forward AAD groups to match groups/teams in Espo
- store last token in Administration > Auth Log