The Azure AD implementation of OIDC authentication flow can be configured to support one of the following scenario [0]: * Only users from a specific Azure AD tenant (currently the only scenario supported by Tuleap) can sign in * Only users with a personal Microsoft account can sign in * Only users with work/school account from Azure AD can sign in * Any users with work/school account from Azure AD or a personal Microsoft account can sign in This contribution puts all the necessary mechanisms in place to support the described scenarii in place. Nothing is displayed in the UI yet but it's already possible to play with the information stored in the DB to select the scenario you want to test. You will note that the expected GUID in the issuer URL is hardcoded by Microsoft. There is a doubt on what is the GUID in the issuer URL when a user with a work/school from another tenant sign in. This is not really clear in the documentation provided by Microsoft and I'm do not have the necessary accounts to reproduce this scenario. In the worst case, users from other tenants cannot connect which means the 'organizations' mode is identical to the 'tenant_specific' mode. Part of request #14368: Support sign-in with any personal Microsoft account or Azure AD account [0] https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols#endpoints Change-Id: I3f70bf0c62d6ac5e63ed4a7d15b15853e18a5f49

+460 −36

Author

Thomas Gerbet (tgerbet) 2020-01-07 22:11

Committer

Thomas Gerbet (tgerbet) 2020-01-10 16:09

Hash 253a92232fcacdd908de9f7a68ed36f9b7b8192d

Parent 82eb1cefbad9fa6c0ab64021b00db30dd37ba360

Reference git #tuleap/stable/253a92232fcacdd908de9f7a68ed36f9b7b8192d