No internet connection
  1. Home
  2. Support

Sample OpenConnectID(ODIC) JSON script to enable SSO via Azure AD

By Bhaskar Chawda @bchawd1
    2020-11-24 17:14:32.165Z

    Hi,

    I was trying to enable SSO using an option 'Custom OIDC or OAuth2'. It requires us to write a JSON config script to enable SSO via Azure AD.
    Can someone please share a sample script we can use to enable SSO via Azure AD?

    I am trying a json script as shown below, but it is giving error:
    [{"ssoId":"378df718-7898-436b-be67-c2b216ee8f22",
    "protocol":"oidc",
    "alias":"odic_alias_site_1",
    "enabled":true,
    "displayName":"OIDC Displ Name",
    "description":"description_c",
    "adminComments":"None",
    "trustVerifiedEmail":true,
    "linkAccountNoLogin":false,
    "guiOrder":12,
    "syncMode":1,
    "oauAuthorizationUrl":"op_authorization_url_c",
    "oauAuthReqScope":"openid oau_auth_req_scope_c",
    "oauAuthReqHostedDomain":"oau_auth_req_hosted_domain_c",
    "oauAccessTokenUrl":"op_access_token_url_c",
    "oauClientId":"op_client_id_c",
    "oauClientSecret":"op_client_secret_c",
    "oauIssuer":"op_issuer_c",
    "oidcUserInfoUrl":"op_user_info_url_c",
    "oidcUserinfoReqSendUserIp":false,
    "oidcLogoutUrl":"None"
    }]

    Thanks and Regards,
    Bhaskar

    Reply

    Linked from:

    1. support-chat
    • 5 replies
    1. KajMagnus @KajMagnus2020-11-25 09:52:02.343Z2020-12-15 16:21:13.686Z

      Here's what I use for testing OIDC with Keycloak — and you'll need to change most fields, to match the URLs over at Azure AD.

      Edit 2020-12-15: Added the emailVerifiedDomains field — Azure AD is a bit specail; it doesn't send the email_verified OIDC standard claim.

      This: "emailVerifiedDomains": "your.company.com" makes Talkyard assume emails like someone@your.company.com have been verified somehow — for example, the company hands out company email addresses only to its employees.

        {
  "id": 1,
  "protocol": "oidc",
  "alias": "keycloak_test_alias",
  "displayName": "Keycloak Test",
  "description": "OpenID Connect login test at keycloak.localhost:8113",
  "enabled": true,
  "trustVerifiedEmail": true,
  "emailVerifiedDomains": "your.company.com",
  "syncMode": 1,
  "oauAuthorizationUrl": "http://keycloak.localhost:8113/auth/realms/ty_test_realm/protocol/openid-connect/auth",
  "oauAuthReqScope": "openid",
  "oauAccessTokenUrl": "http://keycloak.localhost:8113/auth/realms/ty_test_realm/protocol/openid-connect/token",
  "oauClientId": "ty_test_client",
  "oauClientSecret": "THE_SECRET_YOU_COPIED",
  "oauIssuer": "http://keycloak.localhost:8113/auth/realms/ty_test_realm",
  "oidcUserInfoUrl": "http://keycloak.localhost:8113/auth/realms/ty_test_realm/protocol/openid-connect/userinfo"
 }

      I didn't write auto tests for verifying that OIDC + Talkyard continues working properly, and I'm thinking maybe I should do that, before posting moer officially here about OIDC. But anyway feel free to try it out :- ) and it'd be interesting to hear about any problems you run into. I'll link to this from the chat too

      B.t.w. here are step by step instructions for creating a Keycloak realm (should be corresponding steps in Azure AD I'd think) and connecting with Talkyard via OIDC:

      https://github.com/debiki/talkyard/blob/master/images/keycloak/docker-compose-keycloak.yml
      Reply
      1. BBhaskar Chawda @bchawd1
          2020-11-27 14:46:28.866Z

          Hi,

          Thanks for providing Keycloak params. It provided a good reeference for doing a similar settings for Azure AD.

          Regards,
          Bhaskar

          Reply
        • B
          In reply tobchawd1:
          Bhaskar Chawda @bchawd1
            2020-11-30 11:28:39.626Z

            Hi,

            Thanks for quick response on all the queries.
            I have another question related to SSO authentication. We have setup SSO authentication successfully.
            When a user tries to login via SSO to talkyard for the first time talkyard sends a verification mail to users asking them to authenticate.
            Can we disable this feature to ensure that no authentication mail is being send when a user logs in via SSO authentication for the first time.

            Reply
            1. KajMagnus @KajMagnus2020-12-01 16:11:51.374Z

              Hi Bhaskar, I replied in this topic: https://www.talkyard.io/-467/ssoazuread-require-verified-email#post-1 (seems to be the same question).

              I think I'll need to try this out with Azure AD (or Keycloak) to see what's happening

              Reply
              1. KajMagnus @KajMagnus2020-12-15 16:33:19.403Z

                @bchawd1 Now there's a new field emailVerifiedDomains that you can cofigure like so: "emailVerifiedDomains": "your.company.com" and it'll make Talkyard know that [your company's email addresses that Talkyard gets from Azure AD] have been verified already somehow.

                The problem was that Azure AD doesn't send any email_verified claim — instead they have their own verified_primary_email claim, but when reading the documentation it's not clear to me if such an email is guaranteed to have been verified or not.

                Sourced from the user's PrimaryAuthoritativeEmail

                the docs says, but what does that mean. https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims

                Reply
            ReplyAdd progress note