•  
      request #12832 Support Azure AD as an OpenID Connect provider
    Infos
    #12832
    Thomas Gerbet (tgerbet)
    2019-12-18 12:07
    2019-01-25 14:10
    13676
    Details
    Support Azure AD as an OpenID Connect provider
    The current implementation of the ID token validation [0] expects that the login/provider URL is the same than the issuer URL. It is not the case for some providers.

    The only example I am aware of is Azure Active Directory [1] where the login URL is something like https://login.microsoftonline.com/common/ or https://login.microsoftonline.com/{tenant_id} and the issuer URL is something like https://sts.windows.net/{tenant_id}/.



    [0] https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
    [1] https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc
    Authentication & LDAP
    All
    Empty
    • [x] enhancement
    • [ ] internal improvement
    stefano.amadori@st.com
    Stage
    Lorentz Romain (lorentzr)
    Closed
    2019-12-10
    Attachments
    Empty
    References

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2019-12-18 12:07
    Hello,

    It would be great if support requests does not go into closed issue. That's not really the place for it especially if you expect a reply, it would be great if you use your proper support channels ;) .

    The redirect URI that must be used is https://tuleapaks.azure.st.com/plugins/openidconnectclient/azure/ but you need to set it accordingly when you register the app in Azure AD (and it must be of type web).
    User avatar
    Thomas Gerbet (tgerbet)2019-12-11 11:29
    FYI there is one limitation at the moment: it is only possible to use a specific consumer tenant (e.g. 9188040d-6c67-4c5b-b112-36a304b66dad) so it means only users from a specific Azure AD tenant can log in with it.
    Using tenant like common, organization or consumers it not supported at the moment.
    User avatar
    Thomas Gerbet (tgerbet)2019-12-10 17:49
    gerrit #17063 integrated into Tuleap 11.8.99.290. Update of Azure AD providers in the site administration is now possible.

    • Status changed from Under review to Closed
    • Connected artifacts
    • Close date set to 2019-12-10
    • Is an Enhancement or an internal improvement? set to enhancement
    User avatar
    Thomas Gerbet (tgerbet)2019-12-10 15:38
    gerrit #17077 integrated into Tuleap 11.8.99.283, the possibility to add a Azure AD provider is now visible on all instances.


    @terzino: You can now do your tests. It is now possible to add, remove and login with an Azure AD provider. Updating (i.e possibility to update the name/icon/color/tenant ID/client ID/client secret) it is not yet available but that should not be that much of an issue.
    User avatar
    Thomas Gerbet (tgerbet)2019-11-26 10:24
    Edited the title of the request to make more obvious what's really going on here. Anyway AFAIK the only provider doing this sort of trick is Azure AD.


    @terzino: I'm guessing you had the information by other communication channel but this change is scoped for the Tuleap 11.9 release (rel #13877).

    • Summary
      -Support OpenID Connect providers where the login URL is different than the issuer URL 
      +Support Azure AD as an OpenID Connect provider 
    • Status changed from Under review to Under implementation
    User avatar
    Nouha Terzi (terzino)2019-10-29 14:16
    Hello Thomas, team,


    As already discussed during tuleap openroadmap, we're working on deploying tuleap on Azure and trying the connect thru openid plugin. Could we have this bug fixed?

    Thank you in advance for your support.
    regards,
    Nouha

    • CC list set to stefano.amadori@st.com