PWM + OAuth options ADFS or Azure AD

[Aaron Bliss]

Good afternoon everyone,

I just wanted to check and see if anyone has been successful with getting PWM to work with either of ADFS or Azure AD from an OAuth perspective?  

I'm pretty sure PWM won't be able to use the ADFS implementation of OAuth as ADFS only returns subject (sub) via the userinfo endpoint.  Note that additional user attributes can be added to id tokens but again it seems that PWM is expecting that information to be available via userinfo endpoint.

I've got a setup between PWM and ADFS mostly working, which is to say the initial login works (PWM logs an has authenticated message) after ADFS redirects back to the service provider (PWM), however subsequent to the successful login message the following error is logged and the user experiences a blank (white page):

2023-04-17T17:53:01Z, ERROR, oauth.OAuthConsumerServlet, {DAmSR} unexpected error communicating with oauth server: 5071 ERROR_OAUTH_ERROR (unexpected HTTP status code (400) during oauth code resolver request to https://adfs.{{redacted}}.com/adfs/oauth2/token) [{{redacted}}]

Azure AD's OIDC implementation does have a more useful userinfo endpoint however there are other challenges associated with Azure AD, specifically in the realm of customizing a token such that a non-fully qualified claim value is returned within a token that PWM can make use of.

And so again I just wanted to reach out to the community in order to see if anyone has been successful with using either of ADFS or Azure AD from an OAuth perspective with PWM.

Best,

Aaron

[Paul Hodgdon]

I have set it up with Azure SSO using OAuth (OpenID).  You will likely need to import the graph certificate by editing the config directly.  Note that the graph API doesn't give you much by way of a unique identifier to map to, only the mail attribute was something I found that is potentially useful.

Paul Hodgdon
Principal Consultant | Identity Works LLC
Epping | New Hampshire 03042 | USA
+1 603 661 1508 (mobile) | +1 603 734 2681 (office)
www.identityworksllc.com

     

--
You received this message because you are subscribed to the Google Groups "pwm-general" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pwm-general...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/2f838d79-0b57-4993-9b7a-d66662e4a020n%40googlegroups.com.

[Aaron Bliss]

Paul,

Thanks much for the information.  I'm very familiar with OpenID Connect and while most of PWM's OAuth configuration is straightforward I'm looking for a bit more detail.  Can you share what you have set within PWM's OAuth configuration for the following:

OAuth scope (I assumed profile)

OAuth username/DN Login Attribute -> based on the description given within PWM, I assumed this would require customizing the ID token which is still not very straight forward to do with Azure AD but can be done.

Also I was able to figure out that least the following redirect URI is needed for the OIDC client https://{{fqdn_pwm_instance}}/pwm/public/oauth but wasn't sure if any additional redirect URI's were needed.

Once I have all this I'm more than willing to contribute these bits to the PWM doc as I didn't see any of this bits really documented beyond what's in the help macro's within PWM.

Best,

Aaron

[Paul Hodgdon]

Sorry, I missed this email. 

OAuth Login URL: https://login.microsoftonline.com/<tenant>/oauth2/v2.0/authorize

OAuth Scope: openid

OAuth token: https://login.microsoftonline.com/<tenant>/oauth2/v2.0/token

OAuth Profile URL: https://graph.microsoft.com/oidc/userinfo

*Import the certificates, you'll need to get the graph one and put that in your PwmConfiguration.xml manually

Client ID: this is the Application ID of your Application in Azure

OAuth Shared Secret: this is the <Value> of the secret from Azure when you setup a client secret

OAuth User Name/DN Login Attribute: email (only unique thing in the profile that the graph api returns)


You are correct in your Reply-URL: https://{{fqdn_pwm_instance}}/pwm/public/oauth

We do offer contract work for PWM and have worked with several Universities configuring this and guiding them through the capabilities if that ever is something you want to discuss let me know.

I wished Microsoft had more in their user profile endpoint that like upn.

{

    "sub": "OLu859SGc2Sr9ZsqbkG-QbeLgJlb41KcdiPoLYNpSFA",
    "name": "Mikah Ollenburg", // all names require the “profile” scope.
    "family_name": " Ollenburg",
    "given_name": "Mikah",
    "picture": "https://graph.microsoft.com/v1.0/me/photo/$value",
    "email": "mik...@contoso.com" // requires the “email” scope.
}

Paul Hodgdon
Principal Consultant | Identity Works LLC
Epping | New Hampshire 03042 | USA
+1 603 661 1508 (mobile) | +1 603 734 2681 (office)
www.identityworksllc.com

     

To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/5f148d5b-7c18-45f8-bb1e-702c60d1dd75n%40googlegroups.com.

[Suryendu Bhattacharyya]

Hi All,

Please let me know if you have managed to get this work.

I have set up everything as Paul Hogdon recommends, however with the received code from Azure AD , login is failing in PWM.

I have selected mail as the DN attribute and CN as username in PWM

[pa...@identityworksllc.com]

Is mail part of your login filter? 

[Suryendu Bhattacharyya]

Yes I have added mail as login filter

[Suryendu Bhattacharyya]

I am getting the following ERROR :  5071 ERROR_OAUTH_ERROR (state parameter is missing from oauth request)