ORIGAM provides support for single-sign-on (SSO) with Azure Active Directory (AAD). This article describes how to enable sign on in ORIGAM. Correct set up of the AAD is not in scope of this article and the relevant information can be found here.
To enable SSO appsettings.json has to be adjusted. The adjustment depends whether the authentication is in single-tenant mode or in multi-tenant mode. Anyway in both cases when set up, the login screen should contain a button Sign in with Azure AD.
Single-tenant Authentication
Single tenant authentication authenticates against one and only tenant in Azure Active Directory. This is useful if your application will only be used by a single AD organization against which you want to authenticate the users. To use this authentication type add following section into IdentityServerConfig section:
"AzureAdLogin": {
"ClientId": "client_id_guid",
"TenantId": "tenant_id_guid",
"ClaimType": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
}
Multi-tenant Authentication
Multi-tenant authentication can authenticate against multiple Azure Active Directory organizations. This is useful if your application will be used by users from different organizations. You will most probably need to implement your own user/organization assignment logic using AuthenticationPostProcessor entry. To use this authentication type add following section into IdentityServerConfig section:
"AzureAdLogin": {
"ClientId": "client_id_guid",
"TenantId": "common",
"ClaimType": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
},
"AuthenticationPostProcessor": "namespace.AuthenticationPostProcessor,assembly"
ClaimType
Denotes a claim that contains a user name by which the user will be looked up in ORIGAM.
AuthenticationPostProcessor
AuthenticationPostProcessor is an optional parameter to specify authentication post processor. By default internal AlwaysValidAuthenticationPostProcessor is used. In case of multi-tenant environment it should be used as a validation whether user/tenant is matching to the information in ORIGAM. IAuthenticationPostProcessor is declared in Origam.Service.Core 1.1.0+ Nuget Package.
Debugging Posibilities
In case there are problems with Azure AD authentication, it is possible to enable logging to check the claims provided by AD. There are two steps necessary.
1. Enable logging in appsettings.json
Add the following section to appsettings.json:
"Logging": {
"LogLevel": {
"Origam.*": "Debug"
}
}
This will enable logging in Microsoft ecosystem of which the AD authentication handler is part of.
2. Add logger to log4net.config
Add the following logger to log4net.config:
<logger name="Origam.Server.IdentityServerGui.Account.ExternalController" additivity="false">
<level value="DEBUG"/>
<appender-ref ref="FileAppender"/>
</logger>