|
2 | 2 | Microsoft Azure sign-in authentication |
3 | 3 | ====================================== |
4 | 4 |
|
5 | | -Due to specific requirements in Azure's OAuth implementation, Microsoft Azure OAuth identification |
6 | | -is NOT compatible with Odoo at the moment. |
| 5 | +The Microsoft Azure OAuth sign-in authentication is a useful function that allows Odoo users to sign |
| 6 | +into their database with their Microsoft Azure account. |
| 7 | + |
| 8 | +This is particularly helpful if the organization uses Azure Workspace, and wants employees within |
| 9 | +the organization to connect to Odoo using their Microsoft Accounts. |
| 10 | + |
| 11 | +.. warning:: |
| 12 | + Databases hosted on Odoo.com should not use OAuth login for the owner or administrator of the |
| 13 | + database as it would unlink the database from their Odoo.com account. If OAuth is set up for that |
| 14 | + user, the database will no longer be able to be duplicated, renamed, or otherwise managed from |
| 15 | + the Odoo.com portal. |
| 16 | + |
7 | 17 |
|
8 | 18 | .. seealso:: |
9 | 19 | - :doc:`../../productivity/calendar/outlook` |
10 | 20 | - :doc:`/administration/maintain/azure_oauth` |
| 21 | + |
| 22 | +Configuration |
| 23 | +============= |
| 24 | + |
| 25 | +Integrating the Microsoft sign-in function requires configuration on Microsoft and Odoo. |
| 26 | + |
| 27 | +Odoo System Parameter |
| 28 | +--------------------- |
| 29 | + |
| 30 | +First activate the :ref:`developer mode <developer-mode>`, and then go to :menuselection:`Settings |
| 31 | +--> Technical --> System Parameters`. |
| 32 | + |
| 33 | +Click :guilabel:`Create` and on the new/blank form that appears, add the following system parameter |
| 34 | +`auth_oauth.authorization_header` to the :guilabel:`Key` field, and set the :guilabel:`Value` to |
| 35 | +`1`. Then click :guilabel:`Save` to finish. |
| 36 | + |
| 37 | +Microsoft Azure dashboard |
| 38 | +------------------------- |
| 39 | + |
| 40 | +Create a new application |
| 41 | +~~~~~~~~~~~~~~~~~~~~~~~~ |
| 42 | + |
| 43 | +To get started, go to `Microsoft's Azure Portal <https://portal.azure.com/>`_. Log in with the |
| 44 | +:guilabel:`Microsoft Outlook Office 365` account if there is one, otherwise, log in with the |
| 45 | +personal :guilabel:`Microsoft account`. A user with administrative access to the Azure Settings must |
| 46 | +connect and perform the following configuration. Next, navigate to the section labeled |
| 47 | +:guilabel:`Manage Azure Active Directory`. |
| 48 | + |
| 49 | +Now, click on :guilabel:`Add (+)`, located in the top menu, and then select :guilabel:`App |
| 50 | +registration`. On the :guilabel:`Register an application` screen, rename the :guilabel:`Name` to |
| 51 | +`Odoo` or something recognizable. Under the :guilabel:`Supported account types` select |
| 52 | +:guilabel:`Accounts in this organizational directory only (Default Directory only - Single tenant)`. |
| 53 | + |
| 54 | +Under the :guilabel:`Redirect URL` section, select :guilabel:`Web` as the platform, and then input |
| 55 | +`https://<odoo base url>/auth_oauth/signin` in the :guilabel:`URL` field. The Odoo base :abbr:`URL |
| 56 | +(Uniform Resource Locator)` is the canonical domain at which your Odoo instance can be reached (e.g. |
| 57 | +mydatabase.odoo.com if you are hosted on Odoo.com) in the :guilabel:`URL` field. Then, click |
| 58 | +:guilabel:`Register`, and the application is created. |
| 59 | + |
| 60 | +Authentication |
| 61 | +~~~~~~~~~~~~~~ |
| 62 | + |
| 63 | +Edit the new app's authentication by clicking on :guilabel:`Authentication` after being redirected |
| 64 | +to the application's settings from the previous step. |
| 65 | + |
| 66 | +Select the *tokens* that should be issued by the authorization endpoint by scrolling down the screen |
| 67 | +and check the boxes labeled: :guilabel:`Access tokens (used for implicit flows)` and :guilabel:`ID |
| 68 | +tokens (used for implicit and hybrid flows)`. |
| 69 | + |
| 70 | +.. image:: azure/authentication-tokens.png |
| 71 | + :align: center |
| 72 | + :alt: Authentication settings and endpoint tokens. |
| 73 | + |
| 74 | +Click :guilabel:`Save` to ensure these settings are saved. |
| 75 | + |
| 76 | +Gathering credentials |
| 77 | +~~~~~~~~~~~~~~~~~~~~~ |
| 78 | + |
| 79 | +Next, click on the :guilabel:`Overview` menu item in the left-hand column. Select and copy the |
| 80 | +:guilabel:`Application (client) ID`. Paste this credential to a clipboard/notepad, as this |
| 81 | +credential will be used in the Odoo configuration later. |
| 82 | + |
| 83 | +After finishing this step, click on :guilabel:`Endpoints` on the top menu and click the *copy icon* |
| 84 | +next to :guilabel:`OAuth 2.0 authorization endpoint (v2)`. |
| 85 | + |
| 86 | +The value should equal `https://login.microsoftonline.com/<directory_id>/oauth2/v2.0/authorize`. |
| 87 | +Replace the `<directory_id>` with the :guilabel:`Directory (tenant) ID` under the |
| 88 | +:guilabel:`Essentials` section of the Overview page. |
| 89 | + |
| 90 | +.. example:: |
| 91 | + Should the :guilabel:`Directory (tenant) ID` be equal to `6729e9df-afbb-4522-a876-f1408d416396` |
| 92 | + then the new value of the :guilabel:`OAuth 2.0 authorization endpoint (v2)` :abbr:`URL (Uniform |
| 93 | + Resource Locator)` should be: |
| 94 | + `https://login.microsoftonline.com/6729e9df-afbb-4522-a876-f1408d416396/oauth2/v2.0/authorize`. |
| 95 | + |
| 96 | +.. image:: azure/overview-azure-app.png |
| 97 | + :align: center |
| 98 | + :alt: Application ID and OAuth 2.0 authorization endpoint (v2) credentials. |
| 99 | + |
| 100 | +Odoo setup |
| 101 | +---------- |
| 102 | + |
| 103 | +Navigate to :menuselection:`Settings --> Integrations --> OAuth Authentication` and check the box to |
| 104 | +activate the OAuth login feature. Click :guilabel:`Save` to ensure the progress is saved. Sign in to |
| 105 | +the database once the login screen loads. |
| 106 | + |
| 107 | +Navigate to :menuselection:`Settings --> Integrations --> OAuth Authentication` and click on |
| 108 | +:guilabel:`OAuth Providers`. Next, select :guilabel:`New` and name the provider `Azure`. |
| 109 | + |
| 110 | +Paste the :guilabel:`Application (client) ID` from the previous section into the :guilabel:`Client |
| 111 | +ID` field. After completing this, paste the new :guilabel:`OAuth 2.0 authorization endpoint (v2)` |
| 112 | +value into the :guilabel:`authorization URL` field. |
| 113 | + |
| 114 | +For the :guilabel:`UserInfo URL` field, paste the following :abbr:`URL (Uniform Resource Locator)`: |
| 115 | +`https://graph.microsoft.com/oidc/userinfo` |
| 116 | + |
| 117 | +In the :guilabel:`Scope` field, paste the following value: `openid profile email`. Next, the Windows |
| 118 | +logo can be used as the CSS class by entering the following value: `fa fa-fw fa-windows`, in the |
| 119 | +:guilabel:`CSS class` field. |
| 120 | + |
| 121 | +Check the box next to the :guilabel:`Allowed` field to enable the OAuth provider. Finally, add |
| 122 | +`Microsoft Azure Login` to the :guilabel:`Login button label` field. |
| 123 | + |
| 124 | +.. image:: azure/odoo-provider-settings.png |
| 125 | + :align: center |
| 126 | + :alt: Odoo provider setup in the Settings application. |
| 127 | + |
| 128 | +:guilabel:`Save` the changes should this step be required by the version of Odoo. |
| 129 | + |
| 130 | +User experience flows |
| 131 | +--------------------- |
| 132 | + |
| 133 | +To sign in to Odoo for the first time using the Microsoft Azure OAuth provider, navigate to the Odoo |
| 134 | +database login page (using the invitation link) and click on the option labeled :guilabel:`Microsoft |
| 135 | +Azure Login`. The page will redirect to the Microsoft login page. |
| 136 | + |
| 137 | +.. note:: |
| 138 | + Existing users must :ref:`reset their password <users/reset-password>` to access the |
| 139 | + :menuselection:`Reset Password` page, while new users can directly click on :guilabel:`Log in |
| 140 | + with Microsoft`, instead of choosing a new password. |
| 141 | + |
| 142 | +.. image:: azure/odoo-login.png |
| 143 | + :align: center |
| 144 | + :alt: Microsoft Outlook login page. |
| 145 | + |
| 146 | +Enter the :guilabel:`Microsoft Email Address` and click :guilabel:`Next`. Follow the process to sign |
| 147 | +in to the account. Should :abbr:`2FA (Two Factor Authentication)` be turned on an extra step may be |
| 148 | +required. |
| 149 | + |
| 150 | +.. image:: azure/login-next.png |
| 151 | + :align: center |
| 152 | + :alt: Enter Microsoft login credentials. |
| 153 | + |
| 154 | +Finally, after logging into the account, the page will redirect to a permissions page where the user |
| 155 | +will be prompted to :guilabel:`Accept` the conditions that the Odoo application will access their |
| 156 | +Microsoft information. |
| 157 | + |
| 158 | +.. image:: azure/accept-access.png |
| 159 | + :align: center |
| 160 | + :alt: Accept Microsoft conditions for permission access to your account information. |
0 commit comments