Skip to main content

Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

    •  
      request #12832 Support Azure AD as an OpenID Connect provider
    Actions
    Infos
    #12832
    Thomas Gerbet (tgerbet)
    2019-12-18 12:07
    2019-01-25 14:10
    13679
    Details
    Support Azure AD as an OpenID Connect provider
    The current implementation of the ID token validation [0] expects that the login/provider URL is the same than the issuer URL. It is not the case for some providers.

    The only example I am aware of is Azure Active Directory [1] where the login URL is something like https://login.microsoftonline.com/common/ or https://login.microsoftonline.com/{tenant_id} and the issuer URL is something like https://sts.windows.net/{tenant_id}/.



    [0] https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
    [1] https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc
    Authentication & LDAP
    All
    Empty
    • [x] enhancement
    • [ ] internal improvement
    stefano.amadori@st.com
    Stage
    Lorentz Romain (lorentzr)
    Closed
    2019-12-10
    Attachments
    Artifact links

    Releases

    Fixed in

    Artifact ID Project Tracker Summary Status Last Update Date Submitted By Assigned to
    rel #13877 Tuleap Releases 11.9 Delivered 2019-12-13 16:08 Manuel Vacelet (vaceletm)
    Empty
    References
    Referencing request #12832

    Artifact Tracker v5

    request #14368 Support sign-in with any personal Microsoft account or Azure AD account

    Git commit

    tuleap/tuleap/stable

    Little refactoring of provider table, object and manager to allow specifics managers on the future. 88faf3e05b
    User avatar Lorentz Romain (lorentzr) , 2019-11-28 09:34
    Update backend creation for Azure AD provider cbdecd29f1
    User avatar Lorentz Romain (lorentzr) , 2019-12-02 15:20
    Crash when an OpenID Connect provider has a NULL value as icon or color 151c5623cd
    User avatar Thomas Gerbet (tgerbet) , 2019-12-04 10:24
    Contextualize modal for adding a Azure AD based provider 5eb6ecaac8
    User avatar Thomas Gerbet (tgerbet) , 2019-12-06 14:11
    Should be able to select Azure AD provider from empty state 4acfa997a4
    User avatar Lorentz Romain (lorentzr) , 2019-12-10 09:51
    Update authentication check for Azure AD 27f1a3e462
    User avatar Lorentz Romain (lorentzr) , 2019-12-10 13:06
    This patch remove too the option azure ad enabled. Now, everybody can add azure ad provider 7a8635a7ff
    User avatar Lorentz Romain (lorentzr) , 2019-12-10 14:05
    Allow Azure AD update on UI 9e08c32f8b
    User avatar Lorentz Romain (lorentzr) , 2019-12-10 16:17
    Display settings

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2019-12-18 12:07
    Hello,

    It would be great if support requests does not go into closed issue. That's not really the place for it especially if you expect a reply, it would be great if you use your proper support channels ;) .

    The redirect URI that must be used is https://tuleapaks.azure.st.com/plugins/openidconnectclient/azure/ but you need to set it accordingly when you register the app in Azure AD (and it must be of type web).
    User avatar
    Thomas Gerbet (tgerbet)2019-12-11 11:29
    FYI there is one limitation at the moment: it is only possible to use a specific consumer tenant (e.g. 9188040d-6c67-4c5b-b112-36a304b66dad) so it means only users from a specific Azure AD tenant can log in with it.
    Using tenant like common, organization or consumers it not supported at the moment.
    User avatar
    Thomas Gerbet (tgerbet)2019-12-10 17:49
    gerrit #17063 integrated into Tuleap 11.8.99.290. Update of Azure AD providers in the site administration is now possible.
    • Status changed from Under review to Closed
    • Connected artifacts
    • Close date set to 2019-12-10
    • Is an Enhancement or an internal improvement? set to enhancement
    User avatar
    Thomas Gerbet (tgerbet)2019-12-10 15:38
    gerrit #17077 integrated into Tuleap 11.8.99.283, the possibility to add a Azure AD provider is now visible on all instances.


    @terzino: You can now do your tests. It is now possible to add, remove and login with an Azure AD provider. Updating (i.e possibility to update the name/icon/color/tenant ID/client ID/client secret) it is not yet available but that should not be that much of an issue.
    User avatar
    Thomas Gerbet (tgerbet)2019-11-26 10:24
    Edited the title of the request to make more obvious what's really going on here. Anyway AFAIK the only provider doing this sort of trick is Azure AD.


    @terzino: I'm guessing you had the information by other communication channel but this change is scoped for the Tuleap 11.9 release (rel #13877).
    • Summary
      -Support OpenID Connect providers where the login URL is different than the issuer URL 
      +Support Azure AD as an OpenID Connect provider 
    • Status changed from Under review to Under implementation
    User avatar
    Nouha Terzi (terzino)2019-10-29 14:16
    Hello Thomas, team,


    As already discussed during tuleap openroadmap, we're working on deploying tuleap on Azure and trying the connect thru openid plugin. Could we have this bug fixed?

    Thank you in advance for your support.
    regards,
    Nouha
    • CC list set to stefano.amadori@st.com