Office 365 Federated Authentication with WSO2 Identity Server using OpenID Connect
In this scenario, we are going to try to login to a third party application using Office 365. Here WSO2 Identity Server is going to be our Identity Provider.
A big big thank goes to Dinali Rosemin Dabarera for help and patience while this article was built.
Use case
We need to secure web application and assure single sign-on feature while users are stored in federated user sore, in our case they are in Azure Active Directory.
Idea is to use Authentication hub that can provide federated authentication, like WSO2 Identity Access Manager (IAM).
For Office 365 Federated authentication we will need an Office 365 application. You’ll have to follow the below steps to create an Office 365 application.
Azure Setup
Go to Azure portal and click on Azure Active Directory in the left menu.
It will bring up the DefaultDirectory-Overview section where you can register a new application by clicking on New Registration
New registration setup
In Register an application registration fill the following
- Name: newApp
- Select Supported account types (the third option will give you the option to cover all organization directory and any personal Microsoft accounts)
- Redirect URI: https://localhost:9443/commonauth
Finally, click on Register
Once you will register, you will be redirected to an Overview of your created application where you can find the client_id to create the Office 365 as the IDP in WSO2 Identity Server.
In order to get the secret select Certificates & secrets in section and click on new client secret.
In Add a client secret pop up select preferred duration and click Add
NOTE: In Clients secret section you will see newly created secret with the provided description
NOTE: Once you leave this section the secret will be hidden and you cannot retrieve it, so be sure to save it immediately
API permission
By default the Microsoft Graph’s User.Read permission will be selected. Other permission can be added by clicking on Add a permission that will bring up section to choose specific API.
Once when you select API you can select delegated permission or Application permission that will bring different set permissions.
We can leave default for the purpose of federation authentication
Grant consent
In Grant consent click on Granting admin consent to grant all permissions.
Configure Manifest setup of the Application
In manifest edit groupMembershipClaims with possible values (All, SecurityGroup or none).To receive groups info in claims you need to choose All (to receive all groups) or SecurityGroup(to receive only security groups.
NOTE: if you leave the deafault value for groupMembershipClaims (which is “” — blank character), no group information will be propagated in a claim!
With all these configurations, we are good with Office365 side configurations. Now we have to move to WSO2 Identity Server side configurations.
WSO2 setup
Configure Office365 as an Identity Provider
In WSO2 Identity Service on the left side, menu choose IdentityProvides → Add option to bring Add New Identity Provider section.
- Basic Information section
In Basic Information section only the name is mandatory, so give some unique name
Identity Provider Name: office365OpenID
- Federated Authenticators section
In Federated Authenticator, section choose OAuth2/OpenID connect Configuration
Populate with following
- Enable OAuth2/OpenIDConnect Authenticator by clicking on the tick.
- Client Id : d424e6d7-a43e-430b-b3b6–123d9a******
(value copied from Azure application, see New client secret setup) - Client Secret: 5v6NC?.Dq=Nz=4lKZduZ3blY4uf*****
(value copied from Azure application, see New client secret setup) - Authorization Endpoint URL: https://login.microsoftonline.com/common/oauth2/authorize
- Token Endpoint URL: https://login.microsoftonline.com/common/oauth2/token
- Callback Url: https://localhost:9443/commonauth
- Additional Query Parameters : scope=openid
Claim mapping
In Claim Configuration section setup userprincipal as a user id claim URI
Rolle mapping
In Rolle Configuration section setup role mapping that you want to be defined to the federated user during the provisioning in the user store
User groups that are coming from AD don’t have names in claims only GUID. These are all you have to do to create an office365 as IDP.
Configure your Third-party application as a Service Provider and link Office365 as the Federated IDP
To set up this section you will need the application to be deployed and reachable.
You can follow the Quick Start Guide so setup sample application (https://docs.wso2.com/display/IS570/Quick+Start+Guide) — choose Scenario2
In WSO2 Identity Service on the left side menu choose Service Provides → Add option to bring Add New Service Provider section.
- Provide a unique name and click on Register.
2. Inbound Authentication Configuration Section
Choose Oauth/OpenID Connect Configuration and click on Configure
Populate callback URL and choose JWT token, rest leave with default values
Callback Url: http://localhost.com:8080/pickup-manager/oauth2client
And for token Issuer choose: JWT
Click on Update
3. Claim configuration- In order to get user details in to the third party application you need to configure all the claims as requested claim. If you have any mandatory ones you can click on mandatory as well, but make sure that they are coming from the Office365 side.
4. Local & Outbound Authentication Configuration
In the case of the simple federated option, you can choose Federated Authentication and select office365OpenID
Now we are done with the setup configurations. We are now good to test the flow.
Test workflow
Here I chose a third party app called pickup-manager in WSO2 Identity server samples. You can flow this blog to set up such a sample.
In browser type location of a deployed sample application that is secured by IS (in our case it is openID manager application)[PickUp Manager Login]
When you click on LOGIN application will be redirected to provide office365 credentials
Once when you successfully log you will be redirected back to the application
Multi-step authentication if needed.
In case of multi-step authentication, you can edit Local & Outbound Authentication Configuration section in service provide setup and choose the Advanced configuration where you can define different steps like in the picture
After configuring this you can try the same flow then you should be able to see the Identity Server login page first. Then once you successfully log in with that you will be redirected to the office 365 to log in again with Office 365.
Hope you enjoy my first blog!