Anyone tried integrating Azure AD with Foreman for SSO. We have steps for Keycloak in foreman documents: Foreman :: Manual (theforeman.org).
After following steps defined in document, set below parameters in foreman:
eg:
OIDC Algorithm: RS256
OIDC Audience: (client ID of app registration in AzureAD)
OIDC Issuer: https://login.microsoftonline.com/(AzureAD tenant ID)/v2.0
OIDC JWKs URL: https://login.microsoftonline.com/(AzureAD tenant ID)/discovery/v2.0/keys
Not able to get option to login with SSO.
Expected outcome:
Should be able to enable SSO to Foreman using azure AD.
Issue:
Steps are not clear enough to integrate azure AD with foreman SSO.
Could anyone help to get exact steps to integrate foreman 3.7 with Azure AD.
I kind of tried that for once now/looked up if anyone else has already achieved it.
TL;DR:
Doesn’t look like anyone already got it working. (I tried but didn’t go far enough in the troubleshooting until now)
The thing is only configuring the parameters in Foremans settings is not enough, you need the local auth endpoint, which sends the requests to the remote OIDC/SAML2 endpoint. The current documented way just only works with Keycloak, as it uses keycloak-httpd-client-install to configure the local auth endpoint /users/extlogin (and also /users/extlogout)
So if someone wants to sacrifice their time, it would most likely help to setup a Keycloak, configure the system with it, get the httpd config which gets generated by keycloak-httpd-client-install and manually mimic it for Azure AD.
I think the currently “headache free” ways to integrate Azure AD might be either having a Keycloak inbetween or using the ADDS service with LDAPS.
I currently don’t have a suitable environment, but I will see if I have the time the next days to set something up. But there are sure people who know that stuff better than me.
Btw, foreman_help is a single user, not a group which gets checked by any of the dev teams, they might just happen to see the thread though.
Found the issue… if you are running Kleycloak later version 18 (I think, tried it on 22), this will affect you:
So… I manually patched the /usr/lib/python3.6/site-packages/keycloak_httpd_client/keycloak_rest.py and /usr/share/keycloak-httpd-client-install/templates/oidc_httpd.conf like this:
With more time it’s going to be a PR back to the project, but not in this state, needs to be compatible to both.
@priya But that also gives me hope that it won’t be too hard to set that up for AzureAD (uh… right it’s Entra ID now) with OIDC, will take a look at that as soon as I figured out what the docs mean for the new Keycloak UI and get it working.
And the mappers configuration means now to go to “Client scopes”, open the “-dedicated” client scope, and add the new mappers there (add mapper → by configuration → Audience/Group Membership):
Audience: select both “Add to ID token” and “Add to access token”
Group membership: Write “groups” into Token Claim Name, unselect everything beside “Add to ID token” and “Add to access token”
Rest is the same as in the guide.
Will see if I can come up with an PR for the guide artifacts, just not sure about the code change.
And okay 2 things to mention about most likely unability to get it working with AzureAD:
I was not able to get any other identifiers working beside sub, which is a random character identifier (adding claims to the token did not work and name has a space in the name)
For whatever on earths reason the issuer is not https://login.microsoftonline.com/<tanent-id>/v2.0, like mentioned in the openid-configuration, but https://sts.windows.net/<tanent-id>/
especially the / at the end of the weird suddenly different issuer breaks everything
