update Readme for Azure Active Directory

This commit is contained in:
Martin Loetzsch 2019-02-06 23:07:53 +01:00
parent 92c4424639
commit 2ca5de9d44

View File

@ -96,11 +96,19 @@ Note: The user is checked against the group members list on initial authenticati
### Azure Auth Provider ### Azure Auth Provider
1. [Add an application](https://azure.microsoft.com/en-us/documentation/articles/active-directory-integrating-applications/) to your Azure Active Directory tenant. 1. Add an application: go to [https://portal.azure.com](https://portal.azure.com), choose "Azure Active Directory" in the left menu, select "App registrations" and then click on "New app registration".
2. On the App properties page provide the correct Sign-On URL ie `https://internal.yourcompany.com/oauth2/callback` 2. Pick a name and choose "Webapp / API" as application type. Use `https://internal.yourcompany.com` as Sign-on URL. Click "Create".
3. If applicable take note of your `TenantID` and provide it via the `--azure-tenant=<YOUR TENANT ID>` commandline option. Default the `common` tenant is used. 3. On the "Settings" / "Properties" page of the app, pick a logo and select "Multi-tenanted" if you want to allow users from multiple organizations to access your app. Note down the application ID. Click "Save".
4. On the "Settings" / "Required Permissions" page of the app, click on "Windows Azure Active Directory" and then on "Access the directory as the signed in user". Hit "Save" and then then on "Grant permissions" (you might need another admin to do this).
5. On the "Settings" / "Reply URLs" page of the app, add `https://internal.yourcompanycom/oauth2/callback` for each host that you want to protect by the oauth2 proxy. Click "Save".
6. On the "Settings" / "Keys" page of the app, add a new key and note down the value after hitting "Save".
7. Configure the proxy with
The Azure AD auth provider uses `openid` as it default scope. It uses `https://graph.windows.net` as a default protected resource. It call to `https://graph.windows.net/me` to get the email address of the user that logs in. ```
--provider=azure \
--client-id=<application ID from step 3> \
--client-secret=<value from step 6>
```
### Facebook Auth Provider ### Facebook Auth Provider