Skip to content

Commit

Permalink
Update OIDC integration documentation
Browse files Browse the repository at this point in the history 
Move existing examples into subdirectory
Create a new document for OIDC integration of
Microsoft.
  • Loading branch information
@strehle
strehle committed Nov 2, 2023
1 parent b3bafef commit 2a0945c
Show file tree
Hide file tree
Showing 5 changed files with 118 additions and 30 deletions.
0 docs/google-oidc-provider.md → ...Provider-Examples/google-oidc-provider.md
View file
File renamed without changes.
44 changes: 44 additions & 0 deletions docs/OIDC-Provider-Examples/microsoft-oidc-provider.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
# Registering your Microsoft Entra (former Azure) as external OIDC provider in UAA

You can use your Microsoft account to be setup as an [OIDC provider](https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc) for
UAA login. In order to prevent storing a client secret in UAA configuration, either register the external OIDC provider with a public client or use
X509 [certificate credentials](https://learn.microsoft.com/en-us/entra/identity-platform/certificate-credentials).
Prerequisit is the setup OIDC version 2.0. You have to know your tenant ID. Then you know your issuer using
link https://login.microsoftonline.com/{tenant}/v2.0/. Your discovery URL is https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration.

1. Create a new aplication in your App registrations in your directory. After creation you see in Overview section the client_id, which is needed.
2. Configure in Authentication section and configured there a Web Redirect URI for your UAA setup. In addition it is recommended to add your
UAA/logout.do as Front-channel logout URL, so that you also get SLO for your browser flows.

Add following URI in redirect URL:

`http://{UAA_HOST}/login/callback/{origin}`. [Additional documentation for achieving this can be found here](https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US/1ae324ee3b2d4a728650eb022d5fd910.html).

3. In section Certificates and serets it is reommended to store your X509. You can get it from your UAA/token_keys from property x5c.

4. Minimal OIDC configuration needs to be added in login.yml. Read configuration refer to '[https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration](https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc)' for discoveryUrl and issuer

login:
oauth:
providers:
microsoft:
type: oidc1.0
discoveryUrl: https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration
issuer: https://login.microsoftonline.com/{tenant}/v2.0
scopes:
- openid
- email
- profile
attributeMappings:
user_name: email
linkText: Login with Microsoft
showLinkText: true
relyingPartyId: 3feb7ecb-d106-4432-b335-aca2689ad123
jwtclientAuthentication: true

5. Ensure that the scope `openid`, `email` and `profile` is included in the`scopes` property. Then UAA shadow user (if addShadowUserOnLogin=true) is
created with most important properties like first and last name and the email. The UAA user name can be defined with a
custom configuration as pointed out in the example. If the user_name mapping is not set, it will be an opaque id always.
If you want use another attribute from your directory, define the claim in token configuration and map it here.

6. Restart UAA. You will see `Login with Microsoft` link on your login page.
0 docs/okta-public-oidc-provider.md → ...der-Examples/okta-public-oidc-provider.md
View file
File renamed without changes.
0 docs/sap-public-oidc-provider.md → ...ider-Examples/sap-public-oidc-provider.md
View file
File renamed without changes.
104 changes: 74 additions & 30 deletions scripts/cargo/uaa.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,36 +18,63 @@ LOGIN_SECRET: loginsecret

jwt:
token:
signing-alg: RS256
signing-key: |
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCowKUlfOfJxXZt
DWkVs3xb4BZJiGlLYxUAaGRY2WbG/YjHT/6frOOK+N2jFyrtElHiRXJyhV4PTsOJ
YSVhKdAt15A+AoBwGLCKVHfRTLINMpyoNBDmuQKDY42XBXRoyyDvgppd5exXrncB
KzcVgS25LVoP8Nvn4XJcXweQejzHLX01SeqwNZCeHUeGSXKfG7a29bR/DagMTWnA
2X5YsRU+2VykK1/hVK/4ZrC0GIjrGZiwYEwL3Db0RIcWo/DQ1IJGGXIl/qsME0f/
vrqbMr+8TMDivMZMERSoPFOD/wmlGGH0PeqWNKyaoK2lCiWg4BpQoKpIlv+Eo+yl
77uv1xibAgMBAAECggEADtC4jwJ/MDuZ6pGtvKSBEgKp7wzyJZa00ZzYo0sVSi1L
58FSDiW15Zqn84YSR2iY1l//eY0HVYCDC6aDC07W9cQoaArjLzQ6GslQqm6GOtqX
+CJ3q2Uc+RKkuL7XWgEfZDexb4+PwNQfb/OIOgCZCY1kP0sHm3BNEIDQheXD1gtq
8KTOBy/TtN7rV940LoudgQ8vzz+ShhmG7Dt5yws/QzaBpryLncGsGYZSDnvvEBYY
dlbYQEgfLmzdKSDKW3DNV+duaBDeArxZViD7EqPpQxIOawBvl5bs6Radz7OEGZ7k
hTr2fYU4JGn4WJl61yJg4Xm6pp9cJmi+BIgwLrvXNQKBgQDTPjZ6jCPXAfY6WRVD
+hTKgrdhMzNALuiZeyWNSKiiDKgtx1A8OhUAgGzY/PeqmDabiVWKtso+EazfMwa+
BrScf+HEZFUvNJ5tGxe6nEEFCx0n5ELUM/L4SWCtD6eFCNYcAY1XvzPD1F3KzewE
vw8FbT34fef+YayuIF3PPODtJwKBgQDMgcEnXARRzsIC7i1ggqSU8N0OUSu+rA/h
Md9Uh9HsY18p8JtNezAQ2vV4RL3R/CUPGXeDvCBYWhXlkNmjdCAsk24DZHs2Q18x
TeHZ15PUtmd2tH/tAxANDi6RTTjpQI3w2poXHl2ZVuT8M+XkTv0WzI0c8TNog2RA
SzHd5z5JbQKBgQCDlvim5E+bKzywYjfuDYYQFNeZNCTT8aSxn1XoKf/qWooVYlin
++KDWnzzurmpSoKR5z4jV/SqL6aJr6aej1zJNJx2E65A5r1d6AejFp0mQCMca4P5
3paXdlZD2EGZjMSb05extojPj6YRpK9G0aHQ1plJB12SSFQicEUfyKOw9wKBgD09
ScLoih6ZRH2uJwZ0eKZlLj0AT5IsYiD0V0Uv2svnwfKEK21bSzxw5Prb0t/TmqFX
5fMb3a+3YkE5TALnXk8a4uG/MCpCqHnSMaSTKqCS8o6YZIpr1V2jdoxqTHWEsDyE
qYnsvOiTHcTsIZZplN5D6KnXDKbqWZXrLoadnYhNAoGACESLgCy552WcM7vNt4Fw
7lR/O3gEnwD41gIx5EGa/UoA08Q+i7sBt9PkL4oQrJ/MYCcVNnmg9KrJdlqF4AlE
HYeZSkMuQDYHcaO9xtYP3QdhD+nLXbNrCxaSSaSX8tS4BjdcSH1yMyLFg5OqiJYg
wYFiptyKFm5QqFhFTY+20aE=
-----END PRIVATE KEY-----
policy:
activeKeyId: key-1
keys:
key-1:
signingAlg: RS256
signingKey: |
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCowKUlfOfJxXZt
DWkVs3xb4BZJiGlLYxUAaGRY2WbG/YjHT/6frOOK+N2jFyrtElHiRXJyhV4PTsOJ
YSVhKdAt15A+AoBwGLCKVHfRTLINMpyoNBDmuQKDY42XBXRoyyDvgppd5exXrncB
KzcVgS25LVoP8Nvn4XJcXweQejzHLX01SeqwNZCeHUeGSXKfG7a29bR/DagMTWnA
2X5YsRU+2VykK1/hVK/4ZrC0GIjrGZiwYEwL3Db0RIcWo/DQ1IJGGXIl/qsME0f/
vrqbMr+8TMDivMZMERSoPFOD/wmlGGH0PeqWNKyaoK2lCiWg4BpQoKpIlv+Eo+yl
77uv1xibAgMBAAECggEADtC4jwJ/MDuZ6pGtvKSBEgKp7wzyJZa00ZzYo0sVSi1L
58FSDiW15Zqn84YSR2iY1l//eY0HVYCDC6aDC07W9cQoaArjLzQ6GslQqm6GOtqX
+CJ3q2Uc+RKkuL7XWgEfZDexb4+PwNQfb/OIOgCZCY1kP0sHm3BNEIDQheXD1gtq
8KTOBy/TtN7rV940LoudgQ8vzz+ShhmG7Dt5yws/QzaBpryLncGsGYZSDnvvEBYY
dlbYQEgfLmzdKSDKW3DNV+duaBDeArxZViD7EqPpQxIOawBvl5bs6Radz7OEGZ7k
hTr2fYU4JGn4WJl61yJg4Xm6pp9cJmi+BIgwLrvXNQKBgQDTPjZ6jCPXAfY6WRVD
+hTKgrdhMzNALuiZeyWNSKiiDKgtx1A8OhUAgGzY/PeqmDabiVWKtso+EazfMwa+
BrScf+HEZFUvNJ5tGxe6nEEFCx0n5ELUM/L4SWCtD6eFCNYcAY1XvzPD1F3KzewE
vw8FbT34fef+YayuIF3PPODtJwKBgQDMgcEnXARRzsIC7i1ggqSU8N0OUSu+rA/h
Md9Uh9HsY18p8JtNezAQ2vV4RL3R/CUPGXeDvCBYWhXlkNmjdCAsk24DZHs2Q18x
TeHZ15PUtmd2tH/tAxANDi6RTTjpQI3w2poXHl2ZVuT8M+XkTv0WzI0c8TNog2RA
SzHd5z5JbQKBgQCDlvim5E+bKzywYjfuDYYQFNeZNCTT8aSxn1XoKf/qWooVYlin
++KDWnzzurmpSoKR5z4jV/SqL6aJr6aej1zJNJx2E65A5r1d6AejFp0mQCMca4P5
3paXdlZD2EGZjMSb05extojPj6YRpK9G0aHQ1plJB12SSFQicEUfyKOw9wKBgD09
ScLoih6ZRH2uJwZ0eKZlLj0AT5IsYiD0V0Uv2svnwfKEK21bSzxw5Prb0t/TmqFX
5fMb3a+3YkE5TALnXk8a4uG/MCpCqHnSMaSTKqCS8o6YZIpr1V2jdoxqTHWEsDyE
qYnsvOiTHcTsIZZplN5D6KnXDKbqWZXrLoadnYhNAoGACESLgCy552WcM7vNt4Fw
7lR/O3gEnwD41gIx5EGa/UoA08Q+i7sBt9PkL4oQrJ/MYCcVNnmg9KrJdlqF4AlE
HYeZSkMuQDYHcaO9xtYP3QdhD+nLXbNrCxaSSaSX8tS4BjdcSH1yMyLFg5OqiJYg
wYFiptyKFm5QqFhFTY+20aE=
-----END PRIVATE KEY-----
signingCert:
-----BEGIN CERTIFICATE-----
MIIDkzCCAnugAwIBAgIUIpCM7WELyJfpc7xZ3lfoNr87i04wDQYJKoZIhvcNAQEL
BQAwWTELMAkGA1UEBhMCVVMxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDESMBAGA1UEAwwJbG9jYWxob3N0MB4X
DTIzMTEwMjA5MDAwM1oXDTMzMTAzMDA5MDAwM1owWTELMAkGA1UEBhMCVVMxEzAR
BgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5
IEx0ZDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAqMClJXznycV2bQ1pFbN8W+AWSYhpS2MVAGhkWNlmxv2Ix0/+n6zj
ivjdoxcq7RJR4kVycoVeD07DiWElYSnQLdeQPgKAcBiwilR30UyyDTKcqDQQ5rkC
g2ONlwV0aMsg74KaXeXsV653ASs3FYEtuS1aD/Db5+FyXF8HkHo8xy19NUnqsDWQ
nh1Hhklynxu2tvW0fw2oDE1pwNl+WLEVPtlcpCtf4VSv+GawtBiI6xmYsGBMC9w2
9ESHFqPw0NSCRhlyJf6rDBNH/766mzK/vEzA4rzGTBEUqDxTg/8JpRhh9D3qljSs
mqCtpQoloOAaUKCqSJb/hKPspe+7r9cYmwIDAQABo1MwUTAdBgNVHQ4EFgQUsh7G
ZzAm0SAvjGMv1DCa9jN07AowHwYDVR0jBBgwFoAUsh7GZzAm0SAvjGMv1DCa9jN0
7AowDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAAWSzxB0qNGD1
DzJdH5l6NPRwpY8fIvDy8kE7t7+tefa7psJucwObRdjoD7B15O45Sm0+J17hxa7Z
N7sYf8Oo+xotv1xpOMq3GxTXcQZBjYNNMHAfOiNayGJVPmzgsv7K4+RwpkQ67f9H
rXdYsSD8t9BVqhuOjR6zKtU0KVez+7HHIqdFdGJ0xPEzoeGbxFuXyPScn8XKWOtC
bEfNo6e2w34TDSWdTM4fZPLbtcqjwMBiDKxu1dshV8w/qboINfFeTsMd1+qY4seX
xL9fTh68EbjJu0c0MFY3F+yjpmsVXcumZpMa+GN1bc3+OndGnvecsgJlPNMF7vbz
WWUBc/oIBg==
-----END CERTIFICATE-----
revocable: false
refresh:
format: opaque
Expand Down Expand Up @@ -93,6 +120,23 @@ login:
KdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3oePe84k8jm3A7EvH5wi5hvCkK
RpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=
-----END CERTIFICATE-----
oauth:
providers:
microsoft:
type: oidc1.0
discoveryUrl: https://login.microsoftonline.com/7f51701b-99a6-4152-a2aa-fbf92ff05d36/v2.0/.well-known/openid-configuration
issuer: https://login.microsoftonline.com/7f51701b-99a6-4152-a2aa-fbf92ff05d36/v2.0
scopes:
- openid
- email
- profile
attributeMappings:
user_name: email
email_verified: verified_primary_email
linkText: Login with Microsoft
showLinkText: true
relyingPartyId: 795097d6-6b10-4025-958f-9b59ad09c037
jwtclientAuthentication: true

ratelimit:
loggingOption: AllCalls
Expand Down

0 comments on commit 2a0945c

Please sign in to comment.