Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Microsoft Org endpoint (enhancement) and/or custom oauth endpoints. #204

Closed
itfranck opened this issue Jun 3, 2018 · 5 comments

Comments

Projects
None yet
2 participants
@itfranck
Copy link
Contributor

commented Jun 3, 2018

Using Microsoft provider, I can connect on consumer endpoint but not on the Org endpoint
(Through AAD)

Following message is received:

AADSTS90130: Application '5031111b-2118-4116-b11a-9111111111f1' (poshud-test) is not supported over the /common or /consumers endpoints. Please use the /organizations or tenant-specific endpoint.

It would be nice to have Microsoft Org endpoint added at some point and / or have the ability to add custom Oauth endpoint.

@adamdriscoll adamdriscoll added this to the 2.0.0 milestone Jul 20, 2018

@itfranck

This comment has been minimized.

Copy link
Contributor Author

commented Aug 23, 2018

Is it still planned as a 2.0.0 milestone ?
I saw you implemented the Authorization policy (#208) which is incredible.

In my perfect use case, as devops in my organization, I would like to use our Azure Active directory to provide access.

This brings too interesting elements :

  • The ability to limit application to the AAD member (new authorization policy not needed at this point)
  • The ability to use the authorization policy ( #208 ) combined with the groups claims* to create authorization policies based on AAD group membership instead of users.

In the end, by using the tenant AAD endpoint, one could allow people to connect to the dashboard using his Office 365 email and set authorizations based on group membership which is managed in AAD without having to modify UD script. This ties in perfectly with an Azure deployment of UD.

--
(
Manifest of an app. in Azure must have its "groupMembershipClaims" changed to "SecurityGroup" for the groups claims to be returned as it does not return them by default but that part is unrelated to UD changes.
)

@adamdriscoll

This comment has been minimized.

Copy link
Member

commented Aug 23, 2018

@itfranck Yep. This is totally planned for 2.0. I will make sure that your scenario with groups works well.

@adamdriscoll

This comment has been minimized.

Copy link
Member

commented Aug 28, 2018

Just finished implementing and testing this. You'll be able to put in your domain, application ID and tenant ID to enable AAD authentication.

image

In my AAD environment, I have a group that my user is a part of.

image

That claim is added to the identity and will be available via authorization policies that have been added to UD 2.0.

image

@itfranck

This comment has been minimized.

Copy link
Contributor Author

commented Aug 28, 2018

I am really looking forward to test that out and live the experience 😄
Any way you can make the UD login page itself optional ?

Multi-logins sites will of course benefit from the current login page but when one method is selected and that method depends on external login, It would be a nice touch to have the possibility to land directly on the login page (ex: https://portal.azure.com). Just a thought.

@adamdriscoll

This comment has been minimized.

Copy link
Member

commented Aug 28, 2018

@itfranck Great idea! Feel free to open another issue with the details for that. It's not possible with the current design but could certainly be done.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.