Skip to content

Commit

Permalink
review
Browse files Browse the repository at this point in the history
  • Loading branch information
strehle committed Nov 7, 2023
1 parent e05a5ef commit 1251989
Showing 1 changed file with 14 additions and 11 deletions.
25 changes: 14 additions & 11 deletions docs/OIDC-Provider-Examples/microsoft-oidc-provider.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,28 +3,28 @@
You can use your Microsoft account to be setup as an [OIDC provider](https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc) for
UAA login. In order to prevent storing a client secret in UAA configuration, either register the external OIDC provider with a public client or use
X509 [certificate credentials](https://learn.microsoft.com/en-us/entra/identity-platform/certificate-credentials).
Prerequisit is the setup OIDC version 2.0. You have to know your tenant ID. Then you know your issuer using
Prerequisite is the setup OIDC version 2.0. You have to know your tenant ID. Then you know your issuer using
link https://login.microsoftonline.com/{tenant}/v2.0/. Your discovery URL is https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration.

1. Create a new aplication in your App registrations in your directory. After creation you see in Overview section the client_id, which is needed.
2. Configure in Authentication section and configured there a Web Redirect URI for your UAA setup. In addition it is recommended to add your
1. Create a new application in your App registrations in your directory. After creation you see in Overview section the client_id, which is needed.
2. Configure in Authentication section a Web Redirect URI for your UAA setup. In addition it is recommended to add your
UAA/logout.do as Front-channel logout URL, so that you also get SLO for your browser flows.

Add following URI in redirect URL:

`http://{UAA_HOST}/login/callback/{origin}`. [Additional documentation for achieving this can be found here](https://learn.microsoft.com/en-us/entra/identity-platform/reply-url).
`https://{UAA_HOST}/login/callback/{origin}`. [Additional documentation for achieving this can be found here](https://learn.microsoft.com/en-us/entra/identity-platform/reply-url).

3. In section Certificates and serets it is reommended to store your X509. You can get it from your UAA/token_keys from property x5c.
3. In section Certificates and secrets it is recommended to store your X509. You can get it from your UAA/token_keys from property x5c.
You can setup UAA with X509 certificates in JWT with your existing private key with following commands:


openssl req -x509 -sha256 -new -key <your-key-from-uaa-yaml> -out <server.csr>

openssl x509 -sha256 -days 365 -in <server.csr> -signkey <your-key-from-uaa-yaml>

```console
openssl req -x509 -sha256 -new -key <your-key-from-uaa-yaml> -out <server.csr>
openssl x509 -sha256 -days 365 -in <server.csr> -signkey <your-key-from-uaa-yaml>
```

4. Copy the received X509 certificate into your uaa.yml.

```yaml
jwt:
token:
policy:
Expand All @@ -40,9 +40,11 @@ UAA/logout.do as Front-channel logout URL, so that you also get SLO for your bro
-----BEGIN CERTIFICATE-----
... <your generated X509>
-----END CERTIFICATE-----
```

5. Minimal OIDC configuration needs to be added in login.yml. Read configuration refer to '[https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration](https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc)' for discoveryUrl and issuer

```yaml
login:
oauth:
providers:
Expand All @@ -60,10 +62,11 @@ UAA/logout.do as Front-channel logout URL, so that you also get SLO for your bro
showLinkText: true
relyingPartyId: 3feb7ecb-d106-4432-b335-aca2689ad123
jwtclientAuthentication: true
```
6. Ensure that the scope `openid`, `email` and `profile` is included in the`scopes` property. Then UAA shadow user (if addShadowUserOnLogin=true) is
created with most important properties like first and last name and the email. The UAA user name can be defined with a
custom configuration as pointed out in the example. If the user_name mapping is not set, it will be an opaque id always.
If you want use another attribute from your directory, define the claim in token configuration and map it here.
If you want to use another attribute from your directory, define the claim in token configuration and map it here.

7. Restart UAA. You will see `Login with Microsoft` link on your login page.

0 comments on commit 1251989

Please sign in to comment.