diff --git a/authentication/AzureAD/README_WITH_CLIENT_SECRET.md b/authentication/AzureAD/README_WITH_CLIENT_SECRET.md index 3c5aa67b..c8c1d128 100644 --- a/authentication/AzureAD/README_WITH_CLIENT_SECRET.md +++ b/authentication/AzureAD/README_WITH_CLIENT_SECRET.md @@ -26,7 +26,7 @@ 1. Create the *ODM application*. - In **Azure Active Directory** / **App registration**, click **New Registration**: + In **Microsoft Entra Id** / **Manage** / **App registration**, click **New Registration**: * Name: **ODM Application** * Supported account types / Who can use this application or access this API?: select `Accounts in this organizational directory only (Default Directory only - Single tenant)` @@ -36,7 +36,7 @@ 2. Retrieve Tenant and Client information. - In **Azure Active Directory** / **App Registration**, select **ODM Application** and click **Overview**: + In **Microsoft Entra Id** / **Manage** / **App Registration**, select **ODM Application** and click **Overview**: * Application (client) ID: **Client ID**. It will be referenced as `CLIENT_ID` in the next steps. * Directory (tenant) ID: **Your Tenant ID**. It will be referenced as `TENANT_ID` in the next steps. @@ -45,7 +45,7 @@ 3. Generate an OpenID client secret. - In **Azure Active Directory** / **App registrations**, select **ODM Application**: + In **Microsoft Entra Id** / **Manage** / **App registrations**, select **ODM Application**: * From the Overview page, click on the link Client credentials: **Add a certificate or secret** or on the **Manage / Certificates & secrets** tab * Click + New Client Secret @@ -58,24 +58,24 @@ 4. Add Claims. - In **Azure Active Directory** / **App registrations**, select **ODM Application**, and in **Manage / Token Configuration**: + In **Microsoft Entra Id** / **Manage** / **App registrations**, select **ODM Application**, and in **Manage / Token Configuration**: - * Add Optional Email ID Claim + * Add Optional **email** ID Claim * Click +Add optional claim * Select ID - * Check Email - * Click Add - - * Add Optional Email Access Claim - * Click +Add optional claim - * Select Access - * Check Email + * Check **email** * Click Add * Turn on Microsoft Graph email permission * Check Turn on the Microsoft Graph email permission * Click Add + * Add Optional **email** Access Claim + * Click +Add optional claim + * Select Access + * Check **email** + * Click Add + * Add Group Claim * Click +Add groups claim * Check Security Groups @@ -85,11 +85,11 @@ To allow ODM rest-api to use the password flow with email as user identifier and the client-credentials flow with client_id as user identifier, we need to create a new claim named "identity" that will take the relevant value according to the flow: - In **Azure Active Directory** / **Enterprise applications**, select **ODM Application**, and in **Manage / Single sign-on**: + In **Microsoft Entra Id** / **Manage** / **Enterprise applications**, select **ODM Application**, and in **Manage / Single sign-on**: * Click Edit in the "Attributes & Claims" section * Click + Add new claim - * Name: identity + * Name: **identity** * Fill 2 Claim conditions in the exact following order: 1. User Type: Any / Scoped Groups: 0 / Source: Attribute / Value: 2. User Type: Members / Scoped Groups: 0 / Source: Attribute / Value: user.mail @@ -97,7 +97,7 @@ 6. API Permissions. - In **Azure Active Directory** / **App Registration**, select **ODM Application**, and then click **API Permissions**. + In **Microsoft Entra Id** / **Manage** / **App Registration**, select **ODM Application**, and then click **API Permissions**. * Click Grant Admin Consent for Default Directory @@ -109,7 +109,10 @@ 7. Manifest change. - In **Azure Active Directory** / **App Registration**, select **ODM Application**, and then click **Manifest**. + In **Microsoft Entra Id** / **Manage** / **App Registration**, select **ODM Application**, and then click **Manifest**. + + The Manifest feature (a JSON representation of an app registration) is currently in transition. + [**AAD Graph app manifest**](https://learn.microsoft.com/en-us/entra/identity-platform/azure-active-directory-graph-app-manifest-deprecation) will be deprecated soon and not editable anymore starting 12/2/2024. It will be replaced by the **Microsoft Graph App Manifest** As explained in [accessTokenAcceptedVersion attribute explanation](https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-app-manifest#accesstokenacceptedversion-attribute), change the value to 2. @@ -117,6 +120,10 @@ It is also necessary to set **acceptMappedClaims** to true to manage claims. Without this setting, you get the exception **AADSTS50146: This application is required to be configured with an application-specific signing key. It is either not configured with one, or the key has expired or is not yet valid.** when requesting a token. + With **Microsoft Graph App Manifest**: + * **acceptMappedClaims** is relocated as a property of the **api** attribute + * **accessTokenAcceptedVersion** is relocated as a property of the **api** attribute and renamed **requestedAccessTokenVersion** + Then, click Save. 8. Check the configuration. @@ -318,7 +325,7 @@ ```shell kubectl create secret generic users-groups-synchro-secret \ - --from-file=sidecar-start.sh \ + --from-file=./output/sidecar-start.sh \ --from-file=generate-user-group-mgt.sh ``` > **Note** @@ -340,7 +347,7 @@ ```shell helm search repo ibm-odm-prod NAME CHART VERSION APP VERSION DESCRIPTION - ibm-helm/ibm-odm-prod 24.0.0 9.0.0.0 IBM Operational Decision Manager + ibm-helm/ibm-odm-prod 24.1.0 9.0.0.1 IBM Operational Decision Manager ``` ### Run the `helm install` command @@ -449,7 +456,7 @@ You can now install the product. We will use the PostgreSQL internal database an - Decision Server Runtime redirect URI: `https:///DecisionService/openid/redirect/odm` - Rule Designer redirect URI: `https://127.0.0.1:9081/oidcCallback` - From the Azure console, in **Azure Active Directory** / **App Registrations** / **ODM Application**: + From the Microsoft Azure console, in **Microsoft Entra Id** / **Manage** / **App Registrations** / **ODM Application**: - Click the `Add a Redirect URI` link - Click `Add Platform` @@ -507,11 +514,11 @@ To manage ODM runtime call on the next steps, we used the [Loan Validation Decis Import the **Loan Validation Service** in Decision Center connected using *myodmuser*@YOURDOMAIN created at step 2 -![Import project](../Keycloak/images/import_project.png) +![Import project](images/import_project.png) Deploy the **Loan Validation Service** production_deployment ruleapps using the **production deployment** deployment configuration in the Deployments>Configurations tab. -![Deploy project](../Keycloak/images/deploy_project.png) +![Deploy project](images/deploy_project.png) You can retrieve the payload.json from the ODM Decision Server Console or use [the provided payload](payload.json). @@ -520,7 +527,7 @@ As explained in the ODM on Certified Kubernetes documentation [Configuring user You can realize a basic authentication ODM runtime call the following way: ```shell -$ curl -H "Content-Type: application/json" -k --data @payload.json \ +curl -H "Content-Type: application/json" -k --data @payload.json \ -H "Authorization: Basic b2RtQWRtaW46b2RtQWRtaW4=" \ https:///DecisionService/rest/production_deployment/1.0/loan_validation_production/1.0 ``` @@ -530,7 +537,7 @@ Where b2RtQWRtaW46b2RtQWRtaW4= is the base64 encoding of the current username:pa But if you want to execute a bearer authentication ODM runtime call using the Client Credentials flow, you have to get a bearer access token: ```shell -$ curl -k -X POST -H "Content-Type: application/x-www-form-urlencoded" \ +curl -k -X POST -H "Content-Type: application/x-www-form-urlencoded" \ -d 'client_id=&scope=%2F.default&client_secret=&grant_type=client_credentials' \ 'https://login.microsoftonline.com//oauth2/v2.0/token' ``` @@ -538,7 +545,7 @@ $ curl -k -X POST -H "Content-Type: application/x-www-form-urlencoded" \ And use the retrieved access token in the following way: ```shell -$ curl -H "Content-Type: application/json" -k --data @payload.json \ +curl -H "Content-Type: application/json" -k --data @payload.json \ -H "Authorization: Bearer " \ https:///DecisionService/rest/production_deployment/1.0/loan_validation_production/1.0 ``` diff --git a/authentication/AzureAD/README_WITH_PRIVATE_KEY_JWT.md b/authentication/AzureAD/README_WITH_PRIVATE_KEY_JWT.md index eb6c11f8..e94483ad 100644 --- a/authentication/AzureAD/README_WITH_PRIVATE_KEY_JWT.md +++ b/authentication/AzureAD/README_WITH_PRIVATE_KEY_JWT.md @@ -32,7 +32,7 @@ For additional information regarding the implement in Liberty, please refer to t 1. Create the *ODM application*. - In **Identity** / **Applications** / **App registration**, click **New Registration**: + In **Microsoft Entra Id** / **Manage** / **App registration**, click **New Registration**: * Name: **ODM Application** * Supported account types / Who can use this application or access this API?: select `Accounts in this organizational directory only (Default Directory only - Single tenant)` @@ -42,7 +42,7 @@ For additional information regarding the implement in Liberty, please refer to t 2. Retrieve Tenant and Client information. - In **Identity** / **Applications** / **App Registration**, select **ODM Application** and click **Overview**: + In **Microsoft Entra Id** / **Manage** / **App Registration**, select **ODM Application** and click **Overview**: * Application (client) ID: **Client ID**. It will be referenced as `CLIENT_ID` in the next steps. * Directory (tenant) ID: **Your Tenant ID**. It will be referenced as `TENANT_ID` in the next steps. @@ -57,12 +57,12 @@ For additional information regarding the implement in Liberty, please refer to t The expiration is set to 1000 days: ```shell - $ openssl req -x509 -nodes -days 1000 -newkey rsa:2048 -keyout myodmcompany.key \ + openssl req -x509 -nodes -days 1000 -newkey rsa:2048 -keyout myodmcompany.key \ -out myodmcompany.crt -subj "/CN=myodmcompany.com/OU=it/O=myodmcompany/L=Paris/C=FR" \ -addext "subjectAltName = DNS:myodmcompany.com" ``` - In **Identity** / **Applications** / **App registrations**, select **ODM Application**: + In **Microsoft Entra Id** / **Manage** / **App registrations**, select **ODM Application**: * From the Overview page, click on the link Client credentials: **Add a certificate or secret** or on the **Manage / Certificates & secrets** tab * Select the **Certificates** tab @@ -73,24 +73,24 @@ For additional information regarding the implement in Liberty, please refer to t 4. Add Claims. - In **Identity** / **Applications** / **App registrations**, select **ODM Application**, and in **Manage / Token Configuration**: + In **Microsoft Entra Id** / **Manage** / **App registrations**, select **ODM Application**, and in **Manage / Token Configuration**: - * Add Optional Email ID Claim + * Add Optional **email** ID Claim * Click **+ Add optional claim** * Select **ID** - * Check **Email** - * Click **Add** - - * Add Optional Email Access Claim - * Click **+ Add optional claim** - * Select **Access** - * Check **Email** + * Check **email** * Click **Add** * Turn on Microsoft Graph email permission * Check **Turn on the Microsoft Graph email permission** * Click **Add** + * Add Optional **email** Access Claim + * Click **+ Add optional claim** + * Select **Access** + * Check **email** + * Click **Add** + * Add Group Claim * Click **+ Add groups claim** * Check **Security Groups** @@ -99,7 +99,7 @@ For additional information regarding the implement in Liberty, please refer to t 5. Create a custom claim named "identity" To enable the ODM REST API to use both the 'Password Credentials' flow with email as the user identifier and the 'Client Credentials' flow with client_id as the user identifier, we must establish a new claim named "identity" that will dynamically capture the appropriate value based on the chosen flow: - In **Identity** / **Applications** / **Enterprise applications**, select **ODM Application**, and in **Manage / Single sign-on**: + In **Microsoft Entra Id** / **Manage** / **Enterprise applications**, select **ODM Application**, and in **Manage / Single sign-on**: * Click on Edit of the "Attributes & Claims" section * Click **+ Add new claim** @@ -110,21 +110,28 @@ For additional information regarding the implement in Liberty, please refer to t 6. API Permissions. - In **Identity** / **Applications** / **App Registration**, select **ODM Application**, and then click **API Permissions**. + In **Microsoft Entra Id** / **Manage** / **App Registration**, select **ODM Application**, and then click **API Permissions**. * Click **Grant Admin Consent for ** 7. Manifest change. - In **Identity** / **Applications** / **App Registration**, select **ODM Application**, and then click **Manifest**. + In **Microsoft Entra Id** / **Manage** / **App Registration**, select **ODM Application**, and then click **Manifest**. - As explained in [accessTokenAcceptedVersion attribute explanation](https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-app-manifest#accesstokenacceptedversion-attribute), change the value of **accessTokenAcceptedVersion** to `2`. + The Manifest feature (a JSON representation of an app registration) is currently in transition. + [**AAD Graph app manifest**](https://learn.microsoft.com/en-us/entra/identity-platform/azure-active-directory-graph-app-manifest-deprecation) will be deprecated soon and not editable anymore starting 12/2/2024. It will be replaced by the **Microsoft Graph App Manifest** + + As explained in [accessTokenAcceptedVersion attribute explanation](https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-app-manifest#accesstokenacceptedversion-attribute), change the value to 2. ODM OpenID Liberty configuration needs version 2.0 for the issuerIdentifier. See the [openIdWebSecurity.xml](templates/openIdWebSecurity.xml) file. - It is also necessary to set **acceptMappedClaims** to `true` to manage claims. Without this setting, you get the exception `AADSTS50146: This application is required to be configured with an application-specific signing key. It is either not configured with one, or the key has expired or is not yet valid.` when requesting a token. + It is also necessary to set **acceptMappedClaims** to true to manage claims. Without this setting, you get the exception **AADSTS50146: This application is required to be configured with an application-specific signing key. It is either not configured with one, or the key has expired or is not yet valid.** when requesting a token. + + With **Microsoft Graph App Manifest**: + * **acceptMappedClaims** is relocated as a property of the **api** attribute + * **accessTokenAcceptedVersion** is relocated as a property of the **api** attribute and renamed **requestedAccessTokenVersion** - Then, click Save. + Then, click Save. # Deploy ODM on a container configured with Microsoft Entra ID (Part 2) @@ -235,7 +242,7 @@ For additional information regarding the implement in Liberty, please refer to t ```shell helm search repo ibm-odm-prod NAME CHART VERSION APP VERSION DESCRIPTION - ibm-helm/ibm-odm-prod 24.0.0 9.0.0.0 IBM Operational Decision Manager + ibm-helm/ibm-odm-prod 24.1.0 9.0.0.1 IBM Operational Decision Manager ``` ### Run the `helm install` command @@ -334,7 +341,7 @@ You can now install the product. We will use the PostgreSQL internal database an - Decision Server Console redirect URI: `https:///res/openid/redirect/odm` - Decision Server Runtime redirect URI: `https:///DecisionService/openid/redirect/odm` - From the Azure console, in **Identity** / **Applications** / **App Registrations** / **ODM Application**: + From the Azure console, in **Microsoft Entra Id** / **Manage** / **App Registrations** / **ODM Application**: - Click`Add Redirect URIs link` - Click `Add Platform` @@ -352,7 +359,7 @@ You can now install the product. We will use the PostgreSQL internal database an The ODM Rule Designer will use the [PKCE authorization code flow](https://oauth.net/2/pkce/) to connect to Decision Center and Decision Server Console. - From the Azure console, in **Identity** / **Applications** / **App Registrations** / **ODM Application**: + From the Azure console, in **Microsoft Entra Id** / **Manage** / **App Registrations** / **ODM Application**: - Click`Add Redirect URIs link` - Click `Add Platform` @@ -406,11 +413,11 @@ To manage ODM runtime call on the next steps, we used the [Loan Validation Decis Import the **Loan Validation Service** in Decision Center connected using *myodmuser*@YOURDOMAIN created at step 2 -![Import project](../Keycloak/images/import_project.png) +![Import project](images/import_project.png) Deploy the **Loan Validation Service** production_deployment ruleapps using the **production deployment** deployment configuration in the Deployments>Configurations tab. -![Deploy project](../Keycloak/images/deploy_project.png) +![Deploy project](images/deploy_project.png) You can retrieve the payload.json from the ODM Decision Server Console or use [the provided payload](payload.json). @@ -419,7 +426,7 @@ As explained in the ODM on Certified Kubernetes documentation [Configuring user You can realize a basic authentication ODM runtime call the following way: ```shell -$ curl -H "Content-Type: application/json" -k --data @payload.json \ +curl -H "Content-Type: application/json" -k --data @payload.json \ -H "Authorization: Basic b2RtQWRtaW46b2RtQWRtaW4=" \ https:///DecisionService/rest/production_deployment/1.0/loan_validation_production/1.0 ``` @@ -431,20 +438,20 @@ But if you want to execute a bearer authentication ODM runtime call using the Cl Before to generate the client_assertion, you need a keystore.jks that will be build using the previously generated myodmcompany.key private key and myodmcompany.crt public key PEM files with the commands: ```shell -$ openssl pkcs12 -export -out myodmcompany.p12 -inkey myodmcompany.key -in myodmcompany.crt -passout pass:changeme +openssl pkcs12 -export -out myodmcompany.p12 -inkey myodmcompany.key -in myodmcompany.crt -passout pass:changeme keytool -importkeystore -srckeystore myodmcompany.p12 -srcstoretype pkcs12 -srcalias 1 -srcstorepass changeme -destkeystore myodmcompany.jks -deststoretype jks -deststorepass changeme -destalias myalias ``` Now you can generate the client_assertion following the [ODM documentation](https://www.ibm.com/docs/en/odm/9.0.0?topic=900-generating-json-web-token-client-assertion). ```shell -java -cp $DCLIB/jrules-teamserver.jar:$DCLIB/jose4j-0.9.3.jar:$DCLIB/slf4j-api-1.7.25.jar com.ibm.rules.oauth.ClientAssertionHelper -clientId -tokenEndpoint https://login.microsoftonline.com//oauth2/v2.0/token -keyAliasName myalias -keyStorePwd changeme -keyStoreLocation ./myodmcompany.jks +java -cp $DCLIB/jrules-teamserver.jar:$DCLIB/jose4j-0.9.5.jar:$DCLIB/slf4j-api-1.7.25.jar com.ibm.rules.oauth.ClientAssertionHelper -clientId -tokenEndpoint https://login.microsoftonline.com//oauth2/v2.0/token -keyAliasName myalias -keyStorePwd changeme -keyStoreLocation ./myodmcompany.jks ``` Now, generate the access token using the client_assertion: ```shell -$ curl -k -X POST -H "Content-Type: application/x-www-form-urlencoded" \ +curl -k -X POST -H "Content-Type: application/x-www-form-urlencoded" \ -d 'client_id=&scope=%2F.default&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=&grant_type=client_credentials' \ 'https://login.microsoftonline.com//oauth2/v2.0/token' ``` @@ -452,7 +459,7 @@ $ curl -k -X POST -H "Content-Type: application/x-www-form-urlencoded" \ And use the retrieved access token in the following way: ```shell -$ curl -H "Content-Type: application/json" -k --data @payload.json \ +curl -H "Content-Type: application/json" -k --data @payload.json \ -H "Authorization: Bearer " \ https:///DecisionService/rest/production_deployment/1.0/loan_validation_production/1.0 ``` diff --git a/authentication/AzureAD/azuread-odm-script.zip b/authentication/AzureAD/azuread-odm-script.zip index bd8a47e4..6f5b6676 100644 Binary files a/authentication/AzureAD/azuread-odm-script.zip and b/authentication/AzureAD/azuread-odm-script.zip differ diff --git a/authentication/AzureAD/generateTemplate.sh b/authentication/AzureAD/generateTemplate.sh index c8f3d5e6..f7b38401 100755 --- a/authentication/AzureAD/generateTemplate.sh +++ b/authentication/AzureAD/generateTemplate.sh @@ -28,10 +28,10 @@ Options: -g : AZUREAD ODM Group ID -i : Client ID --n : AZUREAD domain (AZUREAD server name) +-n : Tenant ID -x : Cient Secret -a : Allow others domains (Optional) -Usage example: $0 -i AzureADClientId -x AzureADClientSecret -n -g [-a ]" +Usage example: $0 -i AzureADClientId -x AzureADClientSecret -n AzureADTenantId -g [-a ]" EOF } @@ -39,7 +39,7 @@ while getopts "x:i:n:s:g:ha:" option; do case "${option}" in g) AZUREAD_ODM_GROUP_ID=${OPTARG};; i) AZUREAD_CLIENT_ID=${OPTARG};; - n) AZUREAD_SERVER_NAME=${OPTARG};; + n) AZUREAD_TENANT_ID=${OPTARG};; x) AZUREAD_CLIENT_SECRET=${OPTARG};; a) ALLOW_DOMAIN=${OPTARG};; h) usage; exit 0;; @@ -55,8 +55,8 @@ if [[ -z ${AZUREAD_CLIENT_ID} ]]; then echo "AZUREAD_CLIENT_ID has to be provided, either as in environment or with -i." exit 1 fi -if [[ -z ${AZUREAD_SERVER_NAME} ]]; then - echo "AZUREAD_SERVER_NAME has to be provided, either as in environment or with -n." +if [[ -z ${AZUREAD_TENANT_ID} ]]; then + echo "AZUREAD_TENANT_ID has to be provided, either as in environment or with -n." exit 1 fi if [[ -z ${AZUREAD_CLIENT_SECRET} ]]; then @@ -64,10 +64,10 @@ if [[ -z ${AZUREAD_CLIENT_SECRET} ]]; then exit 1 fi -if [[ ${AZUREAD_SERVER_NAME} != "https://.*" ]]; then - AZUREAD_SERVER_URL=https://login.microsoftonline.com/${AZUREAD_SERVER_NAME} +if [[ ${AZUREAD_TENANT_ID} != "https://.*" ]]; then + AZUREAD_SERVER_URL=https://login.microsoftonline.com/${AZUREAD_TENANT_ID} else - AZUREAD_SERVER_URL=${AZUREAD_SERVER_NAME} + AZUREAD_SERVER_URL=${AZUREAD_TENANT_ID} fi mkdir -p $OUTPUT_DIR && cp $TEMPLATE_DIR/* $OUTPUT_DIR @@ -76,6 +76,7 @@ sed -i.bak 's|AZUREAD_CLIENT_ID|'$AZUREAD_CLIENT_ID'|g' $OUTPUT_DIR/* sed -i.bak 's|AZUREAD_CLIENT_SECRET|'$AZUREAD_CLIENT_SECRET'|g' $OUTPUT_DIR/* sed -i.bak 's|AZUREAD_ODM_GROUP_ID|'$AZUREAD_ODM_GROUP_ID'|g' $OUTPUT_DIR/* sed -i.bak 's|AZUREAD_SERVER_URL|'$AZUREAD_SERVER_URL'|g' $OUTPUT_DIR/* +sed -i.bak 's|AZUREAD_TENANT_ID|'$AZUREAD_TENANT_ID'|g' $OUTPUT_DIR/* # Claim replacement sed -i.bak 's|AZUREAD_CLAIM_GROUPS|'$AZUREAD_CLAIM_GROUPS'|g' $OUTPUT_DIR/* sed -i.bak 's|AZUREAD_CLAIM_LOGIN|'$AZUREAD_CLAIM_LOGIN'|g' $OUTPUT_DIR/* diff --git a/authentication/AzureAD/generateTemplateForPrivateKeyJWT.sh b/authentication/AzureAD/generateTemplateForPrivateKeyJWT.sh index 4b71dd83..217fd74f 100755 --- a/authentication/AzureAD/generateTemplateForPrivateKeyJWT.sh +++ b/authentication/AzureAD/generateTemplateForPrivateKeyJWT.sh @@ -28,9 +28,9 @@ Options: -g : AZUREAD ODM Group ID -i : Client ID --n : AZUREAD domain (AZUREAD server name) +-n : Tenant ID -a : Allow others domains (Optional) -Usage example: $0 -i AzureADClientId -n -g [-a ]" +Usage example: $0 -i AzureADClientId -n TenantId -g [-a ]" EOF } @@ -38,7 +38,7 @@ while getopts "x:i:n:s:g:ha:" option; do case "${option}" in g) AZUREAD_ODM_GROUP_ID=${OPTARG};; i) AZUREAD_CLIENT_ID=${OPTARG};; - n) AZUREAD_SERVER_NAME=${OPTARG};; + n) AZUREAD_TENANT_ID=${OPTARG};; a) ALLOW_DOMAIN=${OPTARG};; h) usage; exit 0;; *) usage; exit 1;; @@ -53,15 +53,15 @@ if [[ -z ${AZUREAD_CLIENT_ID} ]]; then echo "AZUREAD_CLIENT_ID has to be provided, either as in environment or with -i." exit 1 fi -if [[ -z ${AZUREAD_SERVER_NAME} ]]; then - echo "AZUREAD_SERVER_NAME has to be provided, either as in environment or with -n." +if [[ -z ${AZUREAD_TENANT_ID} ]]; then + echo "AZUREAD_TENANT_ID has to be provided, either as in environment or with -n." exit 1 fi -if [[ ${AZUREAD_SERVER_NAME} != "https://.*" ]]; then - AZUREAD_SERVER_URL=https://login.microsoftonline.com/${AZUREAD_SERVER_NAME} +if [[ ${AZUREAD_TENANT_ID} != "https://.*" ]]; then + AZUREAD_SERVER_URL=https://login.microsoftonline.com/${AZUREAD_TENANT_ID} else - AZUREAD_SERVER_URL=${AZUREAD_SERVER_NAME} + AZUREAD_SERVER_URL=${AZUREAD_TENANT_ID} fi mkdir -p $OUTPUT_DIR && cp $TEMPLATE_DIR/* $OUTPUT_DIR @@ -69,6 +69,7 @@ echo "Generating files for AZUREAD" sed -i.bak 's|AZUREAD_CLIENT_ID|'$AZUREAD_CLIENT_ID'|g' $OUTPUT_DIR/* sed -i.bak 's|AZUREAD_ODM_GROUP_ID|'$AZUREAD_ODM_GROUP_ID'|g' $OUTPUT_DIR/* sed -i.bak 's|AZUREAD_SERVER_URL|'$AZUREAD_SERVER_URL'|g' $OUTPUT_DIR/* +sed -i.bak 's|AZUREAD_TENANT_ID|'$AZUREAD_TENANT_ID'|g' $OUTPUT_DIR/* # Claim replacement sed -i.bak 's|AZUREAD_CLAIM_GROUPS|'$AZUREAD_CLAIM_GROUPS'|g' $OUTPUT_DIR/* sed -i.bak 's|AZUREAD_CLAIM_LOGIN|'$AZUREAD_CLAIM_LOGIN'|g' $OUTPUT_DIR/* diff --git a/authentication/AzureAD/images/deploy_project.png b/authentication/AzureAD/images/deploy_project.png new file mode 100644 index 00000000..686a2f46 Binary files /dev/null and b/authentication/AzureAD/images/deploy_project.png differ diff --git a/authentication/AzureAD/images/import_project.png b/authentication/AzureAD/images/import_project.png new file mode 100644 index 00000000..a2205ac3 Binary files /dev/null and b/authentication/AzureAD/images/import_project.png differ diff --git a/authentication/AzureAD/sidecar-start.sh b/authentication/AzureAD/sidecar-start.sh deleted file mode 100644 index 5bc0d048..00000000 --- a/authentication/AzureAD/sidecar-start.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/bash - -while true -do - echo "synchronize groups and users every minute" - /tmp/sidecarconf/generate-user-group-mgt.sh -i -x -t -v - sleep 60 -done diff --git a/authentication/AzureAD/templates/openIdWebSecurity.xml b/authentication/AzureAD/templates/openIdWebSecurity.xml index d7b92fba..0362a326 100644 --- a/authentication/AzureAD/templates/openIdWebSecurity.xml +++ b/authentication/AzureAD/templates/openIdWebSecurity.xml @@ -6,7 +6,7 @@ @@ -19,7 +19,7 @@ clientId="AZUREAD_CLIENT_ID" signatureAlgorithm="RS256" inboundPropagation="required" jwkEndpointUrl="${ServerHost}/discovery/v2.0/keys" - issuerIdentifier="${ServerHost}/v2.0" + issuerIdentifier="${ServerHost}/v2.0" tokenReuse="true" authorizationEndpointUrl="${ServerHost}/oauth2/v2.0/authorize" tokenEndpointUrl="${ServerHost}/oauth2/v2.0/token" userIdentifier="identity" groupIdentifier="groups" audiences="ALL_AUDIENCES"/>