diff --git a/README.md b/README.md index 55f7c34..43c8a93 100644 --- a/README.md +++ b/README.md @@ -97,11 +97,19 @@ Note: The user is checked against the group members list on initial authenticati ### Azure Auth Provider -1. [Add an application](https://azure.microsoft.com/en-us/documentation/articles/active-directory-integrating-applications/) to your Azure Active Directory tenant. -2. On the App properties page provide the correct Sign-On URL ie `https://internal.yourcompany.com/oauth2/callback` -3. If applicable take note of your `TenantID` and provide it via the `--azure-tenant=` commandline option. Default the `common` tenant is used. +1. Add an application: go to [https://portal.azure.com](https://portal.azure.com), choose **"Azure Active Directory"** in the left menu, select **"App registrations"** and then click on **"New app registration"**. +2. Pick a name and choose **"Webapp / API"** as application type. Use `https://internal.yourcompany.com` as Sign-on URL. Click **"Create"**. +3. On the **"Settings"** / **"Properties"** page of the app, pick a logo and select **"Multi-tenanted"** if you want to allow users from multiple organizations to access your app. Note down the application ID. Click **"Save"**. +4. On the **"Settings"** / **"Required Permissions"** page of the app, click on **"Windows Azure Active Directory"** and then on **"Access the directory as the signed in user"**. Hit **"Save"** and then then on **"Grant permissions"** (you might need another admin to do this). +5. On the **"Settings"** / **"Reply URLs"** page of the app, add `https://internal.yourcompanycom/oauth2/callback` for each host that you want to protect by the oauth2 proxy. Click **"Save"**. +6. On the **"Settings"** / **"Keys"** page of the app, add a new key and note down the value after hitting **"Save"**. +7. Configure the proxy with -The Azure AD auth provider uses `openid` as it default scope. It uses `https://graph.windows.net` as a default protected resource. It call to `https://graph.windows.net/me` to get the email address of the user that logs in. +``` + --provider=azure + --client-id= + --client-secret= +``` ### Facebook Auth Provider