Configuring Microsoft Authentication¶
This document explains how to configure Zuul in order to enable authentication with Microsoft Login.
The Zuul instance must be able to query Microsoft’s OAUTH API servers. This simply generally means that the Zuul instance must be able to send and receive HTTPS data to and from the Internet.
You must have an Active Directory instance in Azure and the ability to create an App Registration.
By convention, we will assume Zuul’s Web UI’s base URL is
Creating the App Registration¶
Navigate to the Active Directory instance in Azure and select App
New registration. This
will open a dialog to register an application.
Enter a name of your choosing (e.g.,
Zuul), and select which
account types should have access. Under
Redirect URI select
Single-page application(SPA) and enter
https://zuul.example.com/auth_callback as the redirect URI. Press
You should now be at the overview of the Zuul App registration. This
page displays several values which will be used later. Record the
Application (client) ID and
Directory (tenant) ID. When we need
to construct values including these later, we will refer to them with
all caps (e.g.,
Manage. You should see a
Single-page application section with the redirect URI previously
configured during registration; if not, correct that now.
Implicit grant and hybrid flows select both
ID tokens, then Save.
Back at the Zuul App Registration menu, select
Expose an API, then
Set and then press
Save to accept the default
Application ID URI (it should look like
Add a scope and enter
zuul as the scope name. Enter
Access zuul for both the
Admin consent display name and
Admin consent description. Leave
Who can consent set to
Admins only, then press
Optional: Include Groups Claim¶
In order to include group information in the token sent to Zuul,
Token configuration under
Manage and then
Setting up Zuul¶
/etc/zuul/zuul.conf to add the microsoft authenticator:
[auth microsoft] default=true driver=OpenIDConnect realm=zuul.example.com authority=https://login.microsoftonline.com/TENANT_ID/v2.0 issuer_id=https://sts.windows.net/TENANT_ID/ client_id=CLIENT_ID scope=openid profile api://CLIENT_ID/zuul audience=api://CLIENT_ID load_user_info=false
Restart Zuul services (scheduler, web).
Head to your tenant’s status page. If all went well, you should see a Sign in button in the upper right corner of the page. Congratulations!