From 2ca5de9d448c165d4a37bdb22024ac305b6109db Mon Sep 17 00:00:00 2001 From: Martin Loetzsch Date: Wed, 6 Feb 2019 23:07:53 +0100 Subject: [PATCH] update Readme for Azure Active Directory --- README.md | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 7c93bbc..e80cc7e 100644 --- a/README.md +++ b/README.md @@ -96,11 +96,19 @@ Note: The user is checked against the group members list on initial authenticati ### Azure Auth Provider -1. [Add an application](https://azure.microsoft.com/en-us/documentation/articles/active-directory-integrating-applications/) to your Azure Active Directory tenant. -2. On the App properties page provide the correct Sign-On URL ie `https://internal.yourcompany.com/oauth2/callback` -3. If applicable take note of your `TenantID` and provide it via the `--azure-tenant=` commandline option. Default the `common` tenant is used. +1. Add an application: go to [https://portal.azure.com](https://portal.azure.com), choose "Azure Active Directory" in the left menu, select "App registrations" and then click on "New app registration". +2. Pick a name and choose "Webapp / API" as application type. Use `https://internal.yourcompany.com` as Sign-on URL. Click "Create". +3. On the "Settings" / "Properties" page of the app, pick a logo and select "Multi-tenanted" if you want to allow users from multiple organizations to access your app. Note down the application ID. Click "Save". +4. On the "Settings" / "Required Permissions" page of the app, click on "Windows Azure Active Directory" and then on "Access the directory as the signed in user". Hit "Save" and then then on "Grant permissions" (you might need another admin to do this). +5. On the "Settings" / "Reply URLs" page of the app, add `https://internal.yourcompanycom/oauth2/callback` for each host that you want to protect by the oauth2 proxy. Click "Save". +6. On the "Settings" / "Keys" page of the app, add a new key and note down the value after hitting "Save". +7. Configure the proxy with -The Azure AD auth provider uses `openid` as it default scope. It uses `https://graph.windows.net` as a default protected resource. It call to `https://graph.windows.net/me` to get the email address of the user that logs in. +``` + --provider=azure \ + --client-id= \ + --client-secret= +``` ### Facebook Auth Provider