Login with EntraID (Azure)

Well, How do i need to prepare Specify itself (how to test it)?, how is the link between specify and an idp like entra. Do i need to create same user by hand? Will it be populated? Group restrictions, etc. But for Starting, a Bird view of implementation an “quickstart” would be cool. Everybody knows how OIDC etc. works more or less, but implemetation/integration in a System varies a lot.

1 Like

Hello All, thank to @vinayakjha we have now a working Login with Entra ID. Problem was basically a missing setting. The counterpart of

SECURE_PROXY_SSL_HEADER = (‘HTTP_X_FORWARDED_PROTO’, ‘https’)

was missing in nginx config.

proxy_set_header X-Forwarded-Proto $scheme;

And it worked like a charm!

Edit: Just let me know if you struggle with the Entra-App Part

1 Like

Hello @dfernandez,
Not sure where this line should go in the nginx.conf file:

Could you share a copy of your file?
Thanks

Hy @Heryk

sure, my config file looks like this atm:

server {
    listen 443 ssl;
    listen 80;
    http2 on;

    server_name specify.yourdomain.com;

    ssl_certificate /etc/nginx/certs/fullchain.pem;
    ssl_certificate_key /etc/nginx/certs/privkey.pem;

    ssl_session_cache shared:le_nginx_SSL:10m;

    ssl_session_timeout 1440m;
    ssl_session_tickets off;

    # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
    ssl_dhparam /etc/nginx/certs/dhparam;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
    ssl_prefer_server_ciphers on;

    root /usr/share/nginx;

    # serve static files directly
    location /static/ {
        root /volumes;
        rewrite ^/static/config/(.*)$ /specify6/config/$1 break;
        rewrite ^/static/depository/(.*)$ /static-files/depository/$1 break;
        rewrite ^/static/(.*)$ /static-files/frontend-static/$1 break;
    }

    # proxy these urls to the asset server
    location ~ ^/(fileget|fileupload|filedelete|getmetadata|testkey|web_asset_store.xml) {
        resolver 127.0.0.11 valid=30s;
        client_max_body_size 5000M;
        set $backend "http://asset-server:8080";
        proxy_pass $backend;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

    # proxy everything else to specify 7
    location / {
        resolver 127.0.0.11 valid=30s;
        client_max_body_size 5000M;
        set $backend "http://specify7:8000";
        proxy_pass $backend;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
       proxy_set_header X-Forwarded-Proto $scheme;
        }
        #access_log /etc/nginx/certs/logs/access.log;
        #error_log /etc/nginx/certs/logs/error.log;
}

Hope that helps

1 Like