Login with EntraID (Azure)

Hello!

We are using the latest all in one docker setup and it’s working fine.

I’m just wondering regarding login. Is there a possibility to be able to let users authenticate against Microsoft Entra (aka Azure AD) some way?

I read somewhere that SAML is possible (but i dont find a documentation/howto). It would be great to have a Tutorial like this ones that covers the topic regarding specify7:

Hi @dfernandez,

At this time, we only support identity providers (IdPs) that have an OpenID endpoints.

It looks like Azure AD provides an OpenID Connect endpoint that you can use to authenticate users and obtain identity information.

If you need help getting this configured in Specify, just let me know!

Hello @Specify ! Thank you for your reply

In fact, yes. How to configure this (so adding a idP) this mentioned specify_settings.py in Docker compose or elswhere? I dont find any information about this part. I’m using the “all-in-one” docker template.

Hi Dfernandez –

Thanks for your follow-up. Grant and our back end developer are both out this week, they may chirp in here, but likely it will be next week before we can try to help. Thanks for your patience.

Jim Beach.

Great, thank you!

Hey, you’ll need to override the settings file with the SSO information.
Here is an example from our GitHub repository https://github.com/specify/specify7/blob/34301626534618aeb4c9e831a12ca87f1eab4f88/specifyweb/settings/specify_settings.py#L90
Here is an example nmbe_settings.py file:

import os
DATABASE_NAME = os.environ['DATABASE_NAME']
DATABASE_HOST = os.environ['DATABASE_HOST']
DATABASE_PORT = os.environ.get('DATABASE_PORT', '')
MASTER_NAME = os.environ['MASTER_NAME']
MASTER_PASSWORD = os.environ['MASTER_PASSWORD']
DEPOSITORY_DIR = '/volumes/static-files/depository'
REPORT_RUNNER_HOST = os.getenv('REPORT_RUNNER_HOST', '')
REPORT_RUNNER_PORT = os.getenv('REPORT_RUNNER_PORT', '')
WEB_ATTACHMENT_URL = os.getenv('ASSET_SERVER_URL', None)
WEB_ATTACHMENT_KEY = os.getenv('ASSET_SERVER_KEY', None)
WEB_ATTACHMENT_COLLECTION = os.getenv('ASSET_SERVER_COLLECTION', None)
CELERY_BROKER_URL = os.getenv('CELERY_BROKER_URL', None)
CELERY_RESULT_BACKEND = os.getenv('CELERY_RESULT_BACKEND', None)
CELERY_TASK_DEFAULT_QUEUE = os.getenv('CELERY_TASK_QUEUE', DATABASE_NAME)
ANONYMOUS_USER = os.getenv('ANONYMOUS_USER', None)

OAUTH_LOGIN_PROVIDERS = {
    'nmbe': {
        'title': " NMBE",
        'config': " https://login.microsoftonline.com/8605a91a-efbc-4eb5-84c9-0aed78380fa6/v2.0",
        'scope': "openid email",
        'client_id': "your-client-id",
        'client_secret': "your-client-secret",
    },
}

SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')

In you docker-compose.yml file, add this settings file in the volumes section so that it overwrites the local_settings.py file:

...
specify7:
    restart: unless-stopped
    image: specifyconsortium/specify7-service:v7
    init: true
    volumes:
      - "specify6:/opt/Specify:ro"
      - "static-files:/volumes/static-files"
      - "nmbe_settings.py:/opt/specify7/settings/local_specify_settings.py:ro"
...

Hi @alec.white !

Thank you for this instruction/example. Im almost there. At login im getting an error now:

Blockquote
The redirect URI ‘http://myurl.mydomain.ch/accounts/oic_callback/’ specified in the request does not match the redirect URIs configured for the application ‘d008201f-ec04-46cb-873a-de5662b509da’. Make sure the redirect URI sent in the request matches

  1. I configured the callbackurl as https://myurl.mydomain.ch/accounts/oic_callback/ (with https)

  2. I call https://myurl.mydomain.ch for login in with the browser

Do im missing something? This piece here:

SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')

needs to be there or in nginx-config?

Just a little follow up. Specify does not send https as redirect uri in the oauth request atm:

oauth

So maybe i have something missing somewhere in the configuration.