Configuring Microsoft Authentication¶
This document explains how to configure Zuul in order to enable authentication with Microsoft Login.
Prerequisites¶
The Zuul instance must be able to query Microsoft’s OAUTH API servers. This simply generally means that the Zuul instance must be able to send and receive HTTPS data to and from the Internet.
You must have an Active Directory instance in Azure and the ability to create an App Registration.
By convention, we will assume Zuul’s Web UI’s base URL is
https://zuul.example.com/
.
Creating the App Registration¶
Navigate to the Active Directory instance in Azure and select App
registrations under Manage
. Select New registration
. This
will open a dialog to register an application.
Enter a name of your choosing (e.g., Zuul
), and select which
account types should have access. Under Redirect URI
select
Single-page application(SPA)
and enter
https://zuul.example.com/auth_callback
as the redirect URI. Press
the Register
button.
You should now be at the overview of the Zuul App registration. This
page displays several values which will be used later. Record the
Application (client) ID
and Directory (tenant) ID
. When we need
to construct values including these later, we will refer to them with
all caps (e.g., CLIENT_ID
and TENANT_ID
respectively).
Select Authentication
under Manage
. You should see a
Single-page application
section with the redirect URI previously
configured during registration; if not, correct that now.
Under Implicit grant and hybrid flows
select both Access
tokens
and ID tokens
, then Save.
Back at the Zuul App Registration menu, select Expose an API
, then
press Set
and then press Save
to accept the default
Application ID URI (it should look like api://CLIENT_ID
).
Press Add a scope
and enter zuul
as the scope name. Enter
Access zuul
for both the Admin consent display name
and
Admin consent description
. Leave Who can consent
set to
Admins only
, then press Add scope
.
Optional: Include Groups Claim¶
In order to include group information in the token sent to Zuul,
select Token configuration
under Manage
and then Add groups
claim
.
Setting up Zuul¶
Edit the /etc/zuul/zuul.conf
to add the microsoft authenticator:
[auth microsoft]
default=true
driver=OpenIDConnect
realm=zuul.example.com
authority=https://login.microsoftonline.com/TENANT_ID/v2.0
issuer_id=https://sts.windows.net/TENANT_ID/
client_id=CLIENT_ID
scope=openid profile api://CLIENT_ID/zuul
audience=api://CLIENT_ID
load_user_info=false
Restart Zuul services (scheduler, web).
Head to your tenant’s status page. If all went well, you should see a Sign in button in the upper right corner of the page. Congratulations!