-
Notifications
You must be signed in to change notification settings - Fork 138
Azure AD setup
(Visit https://your-munkireport-server/index.php?/auth/saml/metadata to get additional information for your config)
- Visit https://portal.azure.com
- Click “Enterprise applications”
- Click “New Application”
- Select “Non-gallery application”
- Enter a Name, e.g. MunkiReport
- Optional: Under "Properties" change the logo and select a fitting one.
- Click “Single sign-on” and choose SAML
- Under “Basic SAML Configuration”
- Identifier (Entity ID): domain.com/auth/saml/metadata
- Reply URL (Assertion Consumer Service URL): domain.com/auth/saml/acs
- Logout Url: domain.com/auth/saml/sls
- Under “Set up MunkiReport” you need to note the following information for your .env file in MunkiReport (see below)
- Login URL
- Azure AD Identifier
- Logout URL
- In addition, you need your certificate. Under SAML Signing Certificate, scroll down to Certificate (Base64). Click the Download button.
- On the left, choose “Users and Groups”
- Add users or groups who can have access. It is not necessary to control access from your env file as described here.
In your MunkiReport config.env add
AUTH_METHODS=SAML
AUTH_SAML_SP_NAME_ID_FORMAT=urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
AUTH_SAML_IDP_ENTITY_ID=<Azure AD Identifier from your Azure application>
AUTH_SAML_IDP_SSO_URL=<Login URL from your Azure application>
AUTH_SAML_IDP_SLO_URL= <Logout URL from your Azure application>
AUTH_SAML_USER_ATTR=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name #this was necessary, it didn’t work without, no clue why.
INDEX_PAGE=""
For the certificate, you have two options: you can paste it into your .env file, or you can upload it to your server. In Azure, download the "Certificate (Base64)" in Azure AD > Enterprise Applications > (your application).
The simplest way to add the certificate is to place it in webroot/munkireport/local/certs. Rename it to idp.crt.
Otherwise, you can add it to your .env file:
AUTH_SAML_IDP_X509CERT="-----BEGIN CERTIFICATE-----
blahblah
-----END CERTIFICATE-----
"
Finally, visit your MunkiReport URL and it should forward you directly to Microsoft. Enter your credentials (and maybe your MFA). That's it.
Nginx uses /index.php?/auth/saml/metadata by default, and Microsoft does not allow a ? in the Identifier/Entity ID. The Identifier does not need to be a network address, it only needs to be unique within your organization.
Modify the above instructions as follows:
- Under “Basic SAML Configuration”
- Identifier (Entity ID): urn:munki:report
In your MunkiReport config.env add
AUTH_METHODS=SAML
AUTH_SAML_SP_NAME_ID_FORMAT=urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
AUTH_SAML_SP_ENTITY_ID="urn:munki:report"
AUTH_SAML_IDP_ENTITY_ID=<Azure AD Identifier from your Azure application>
AUTH_SAML_IDP_SSO_URL=<Login URL from your Azure application>
AUTH_SAML_IDP_SLO_URL= <Logout URL from your Azure application>
AUTH_SAML_USER_ATTR=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name #this was necessary, it didn’t work without, no clue why.
Note: Do not include INDEX_PAGE="" here for Nginx configurations.
It may be possible to achieve similar results using URL rewrite rules in your Nginx configruation instead.
If you use passwordless login, you'll need to add this to your .env file:
AUTH_SAML_SECURITY_REQUESTED_AUTHN_CONTEXT=FALSE
For debugging use: AUTH_SAML_DEBUG=TRUE
Once you've configured Azure AD and your env file, be sure to click the blue 'Test' button at the bottom of the page, then click 'Sign in as current user'. If you encounter errors, try clicking in a different section within Azure AD, then clicking back on 'Single sign-on' to make sure the settings are still correct.
You can also visit https://your-munkireport-server/index.php?/auth/set_session_props/show to show your user's current SAML attributes.
- General Upgrade Procedures
- How to Upgrade Versions
- Troubleshooting Upgrades
- Migrating sqlite to MySQL