From 125198908a5ed9458392e27229e89a009df3668d Mon Sep 17 00:00:00 2001 From: d036670 Date: Tue, 7 Nov 2023 16:22:02 +0100 Subject: [PATCH] review --- .../microsoft-oidc-provider.md | 25 +++++++++++-------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/docs/OIDC-Provider-Examples/microsoft-oidc-provider.md b/docs/OIDC-Provider-Examples/microsoft-oidc-provider.md index c45adf7d66b..463932acd3a 100644 --- a/docs/OIDC-Provider-Examples/microsoft-oidc-provider.md +++ b/docs/OIDC-Provider-Examples/microsoft-oidc-provider.md @@ -3,28 +3,28 @@ You can use your Microsoft account to be setup as an [OIDC provider](https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc) for UAA login. In order to prevent storing a client secret in UAA configuration, either register the external OIDC provider with a public client or use X509 [certificate credentials](https://learn.microsoft.com/en-us/entra/identity-platform/certificate-credentials). -Prerequisit is the setup OIDC version 2.0. You have to know your tenant ID. Then you know your issuer using +Prerequisite is the setup OIDC version 2.0. You have to know your tenant ID. Then you know your issuer using link https://login.microsoftonline.com/{tenant}/v2.0/. Your discovery URL is https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration. -1. Create a new aplication in your App registrations in your directory. After creation you see in Overview section the client_id, which is needed. -2. Configure in Authentication section and configured there a Web Redirect URI for your UAA setup. In addition it is recommended to add your +1. Create a new application in your App registrations in your directory. After creation you see in Overview section the client_id, which is needed. +2. Configure in Authentication section a Web Redirect URI for your UAA setup. In addition it is recommended to add your UAA/logout.do as Front-channel logout URL, so that you also get SLO for your browser flows. Add following URI in redirect URL: - `http://{UAA_HOST}/login/callback/{origin}`. [Additional documentation for achieving this can be found here](https://learn.microsoft.com/en-us/entra/identity-platform/reply-url). + `https://{UAA_HOST}/login/callback/{origin}`. [Additional documentation for achieving this can be found here](https://learn.microsoft.com/en-us/entra/identity-platform/reply-url). -3. In section Certificates and serets it is reommended to store your X509. You can get it from your UAA/token_keys from property x5c. +3. In section Certificates and secrets it is recommended to store your X509. You can get it from your UAA/token_keys from property x5c. You can setup UAA with X509 certificates in JWT with your existing private key with following commands: - - openssl req -x509 -sha256 -new -key -out - - openssl x509 -sha256 -days 365 -in -signkey - +```console + openssl req -x509 -sha256 -new -key -out + openssl x509 -sha256 -days 365 -in -signkey + ``` 4. Copy the received X509 certificate into your uaa.yml. +```yaml jwt: token: policy: @@ -40,9 +40,11 @@ UAA/logout.do as Front-channel logout URL, so that you also get SLO for your bro -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- + ``` 5. Minimal OIDC configuration needs to be added in login.yml. Read configuration refer to '[https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration](https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc)' for discoveryUrl and issuer +```yaml login: oauth: providers: @@ -60,10 +62,11 @@ UAA/logout.do as Front-channel logout URL, so that you also get SLO for your bro showLinkText: true relyingPartyId: 3feb7ecb-d106-4432-b335-aca2689ad123 jwtclientAuthentication: true + ``` 6. Ensure that the scope `openid`, `email` and `profile` is included in the`scopes` property. Then UAA shadow user (if addShadowUserOnLogin=true) is created with most important properties like first and last name and the email. The UAA user name can be defined with a custom configuration as pointed out in the example. If the user_name mapping is not set, it will be an opaque id always. -If you want use another attribute from your directory, define the claim in token configuration and map it here. +If you want to use another attribute from your directory, define the claim in token configuration and map it here. 7. Restart UAA. You will see `Login with Microsoft` link on your login page.