SSO for Azure AD

Descriere

This plugin allows users to authenticate to a site with an Azure AD account using OAuth.

This plugin requires an app registrazion in the Azure AD portal.

Warning: guest users and users created with a linked Microsoft account may lead to strange behavior. See the „How are AD users matched to site users?” FAQ for more information.

Not affiliated with or approved by Microsoft.

Întrebări frecvente

How is the plugin configured?

  1. In the plugin’s settings (Settings -> SSO for Azure AD), make a note of the Redirect URL displayed in the „Endpoints” section.
  2. In the Azure AD admin panel for your directory, select „New registration”.
  3. Enter a name. This will be visible to users.
    Note: unless you know you need to change this option, leave „Supported account types” set to „Accounts in this organizational directory only”.
  4. Under „Redirect URI”, select „Web” and enter the Redirect URL that you copied earlier.
  5. Select „Register”.
  6. Make a note of the „Application (client ID)” and the „Directory (tenant) ID”.
  7. Select „Certificates & secrets”.
  8. Select „New client secret”
  9. Enter a description and select an expiration, then select „Add”.
    Note: if you select any option other than „Never”, don’t forget to create a new client secret before the current one expires!
  10. Make a note of the client secret.
  11. In the plugin’s settings, enter the values noted down earlier in the corresponding fields and save your changes.
    Note: unless you have a specific need, „Scope” should be left to the default value.

Why is the „Login with Azure AD” button not visible on my site’s login page?

The login button will not be displayed until the plugin has been fully configured.

Make sure that the following options are configured and valid inside the plugin’s settings (Settings -> SSO for Azure AD):
1. Application (client) ID
2. Client secret
3. Directory (tenant) ID
4. Scope

How are AD users matched to site users?

The user’s „user name” on Azure AD (usually the same as ther email address if they have a mailbox) will be matched to a user with that username as their email address.

For example, when the user who logs in to Azure AD by entering user@example.com logs in to the site, the plugin will look for a user with the email address user@example.com.

Warning: guest users and users created with a linked Microsoft account will have a different format. For example, user@guestexample.com may become user_guestexample.com#EXT#@example.onmicrosoft.com.

What happens when an AD user who doesn’t have an account on the site attempts to log in?

The behavior for this case is configurable.

In the „Login options” section of the plugin’s settings (Settings -> SSO for Azure AD), there is an option named „Create new users if they don’t already exist”.

If it is enabled, when a user logs in and the plugin can’t find the corresponding site user, a new one will be created with the same role as the site default for new signups.

If it is disabled, when a user logs in and the plugin can’t find the corresponding site user, the following error message will be displayed: „Your account has not been registered on this site. Please contact your administrator.”

How can I add the site administration panel to the Azure application list?

To add the site administration panel to the Azure application list, copy the „Homepage/Login URL” displayed in the „Endpoints” section of the plugin’s settings (Settings -> SSO for Azure AD).

This URL must be pasted in the „Home page URL” field in the „Branding” section of your app registration on the Azure AD portal.

Which scope sould I use?

In most cases, the default scope (https://graph.microsoft.com/User.Read) should be used. Selecting this scope will make the plugin use the Microsoft Graph API to get the user’s email address.

If you need the plugin to use the Outlook Mail API to get the user’s email address instead, change the „Scope” value to „https://outlook.office.com/User.Read”.

Warning: choosing to use the Outlook Mail API will cause sign-on to fail for users who don’t have a mailbox.

Verificări

Nu există nicio verificare pentru acest modul.

Contributori și dezvoltatori

„SSO for Azure AD” este un software open-source. La acest modul au contribuit următoarele persoane.

Contributori

Istoric modificări

1.0.0

First release