Microsoft Office 365/Azure AD Authentication

I’m working on a website for a client that use Office 365/Azure AD for their collaboration and authentication across other platforms and services.

It’s been asked if there’s a way that their users can sign in for read-only access to content on the site.

I’m aware that it is possible to create Authentication Types but the documentation appears to be somewhat short.

Has anyone had any luck with this and would mind pointing me in a direction or sharing some code?

We have created a couple of custom Authentication Types for SSO but nothing with Azure. If you want to see some code send a PM and I’d be happy to share.

Thank you! I’ve sent you a PM with my email address.

We, Macareux Digital, are AzureAD authentication package.

It’s currently being implemented to client’s dev environment I think.

We have this in use, maybe it’s helpful for you GitHub - lemonbrain-mk/azure_active_directory: Authorize with Azure Active DIrectory

@Lemonbrain we’ve been trying to use the v9 branch of your package (thank you so much!). We got it installed and set up in our ConcreteCMS site and Azure. In ConcreteCMS, I enabled automatic registration into a group, and I made sure that group accepts automatic additions. In Azure, I added all the permissions that seem relevant in Azure, created a client secret, I enabled both access and ID tokens, and set the URI to https://ourdomain.com/ccm/system/authentication/oauth2/aad/callback.

When I click “Log in with Azure Active Directory” on the login form, I’m able to go through microsoft’s login page successfully and come back to our site, but after logging me in it puts me back on a “Welcome back! Please Sign in” screen at this URL: https://ourdomain.com/login/callback/aad/handle_register/1689109…

image886×394 8.14 KB

My hunch is it’s getting caught up in the registration process in our ConcreteCMS site since there’s never any user accounts created after trying this. But I can’t figure out why. There are no logs in the reports section. I’ve got auto-registration enabled in the aad custom auth settings in the Dashboard, and allowed auto-registration in the group I chose.

We do see this error in the console:

image806×306 105 KB

Related to this portion of the authentication/aad/form.php code (https://github.com/lemonbrain-mk/azure_active_directory/blob/master/authentication/aad/form.php):

image815×140 38.2 KB

Any ideas of what I’m missing? I really appreciate the help!

We had a very similar run of issues when I tried setting up our site using the same plugin. That said, glad to report that it works beautifully - thanks @Lemonbrain!

So, @kspitzley - what we had to do was look at the Azure config.

Open Azure > App Registrations > your app > Manifest, then check the following properties…

	"oauth2AllowIdTokenImplicitFlow": true,
	"oauth2AllowImplicitFlow": true,

Additionally, we added OptionalClaims too, which you can do from the UI or add them as per below…

	"optionalClaims": {
		"idToken": [
			{
				"name": "email",
				"source": null,
				"essential": false,
				"additionalProperties": []
			},
			{
				"name": "family_name",
				"source": null,
				"essential": false,
				"additionalProperties": []
			},
			{
				"name": "given_name",
				"source": null,
				"essential": false,
				"additionalProperties": []
			},
			{
				"name": "preferred_username",
				"source": null,
				"essential": false,
				"additionalProperties": []
			}
		],
		"accessToken": [],
		"saml2Token": []
	},

With that, we’ve successfully got authentication working.

One thing I’d love to know, and more a question for @Lemonbrain - is there a way we can use the users access tokens to perform additional API requests (ie, to show their full name or department) once logged in?

Hey guys

Really nice to read that i could help you. I’m quit busy at the moment, but i try to answer you question asap next week.

THIS WORKED!! You’re amazing!

However, because it’s web development, I have now run into a new error (but an error that shows progress!). Now what happens is this: A new user who has an AD account but doesn’t yet have ConcreteCMS account authenticates with AD - this part is successful, and now it even automatically creates an account in ConcreteCMS for that user (yay!). However, it does not attach the group I selected, and instead of logging this new user into that new account and automatically attaching their AD account, the user gets dropped back on the login page with this error:

image855×301 36.1 KB

In the logs I see this error: “Target class [\Concrete\Core\User\Group\AutomatedGroup\View] does not exist.”

So, even though I set the group up like this, it doesn’t seem to be aaccepting auto-entries?

What I’m hoping I can make happen is one smooth workflow where a new user can log in with their AD account, have a ConcreteCMS account created, have the system automatically attach their ConcreteCMS account to their AD account, and log the user into the ConcreteCMS site.

I cannot think you enough for responding and helping, I am really up against my own skill level here.

As an update, I am trying to place a custom automated group controller per this documentation: Advanced: Automated Groups

But I cannot seem to get it right. I am trying all the possible locations and i still get either “Target class [\Concrete\Core\User\Group\AutomatedGroup\View] does not exist.” or “Target class [\Application\Concrete\User\Group\AutomatedGroup\View] does not exist.” depending on where I put the file.

My controller file is named View.php, and contains this code:

<?php namespace

Application\Src\User\Group\AutomatedGroup;

use Concrete\Core\User\User;
use Concrete\Core\User\Group\GroupAutomationController;
class View extends GroupAutomationController
{
    public function check(User $ux)
    {
        return true;
    }
}
?>

Have you set the Group to enter on registration option from the aad options page at index.php/dashboard/system/registration/authentication?

That should be all you need to register new users to a group!

My question to @Lemonbrain above would ideally allow me to poll the user in Azure and see what other groups I could programatically assign a user to based on things like Office Location, State, Department…

Yes, I’ve had that set up the whole time:

image1557×862 26 KB

And I set up me View group to accept auto-entries in the dashboard.

I’ve been getting “Target class [\Concrete\Core\User\Group\AutomatedGroup\ViewOnly] does not exist.” no matter what I do…I’m so frusterated!

I fixed it! It was just a configuration mistake on my part. I removed “automatically enter this group” from the View group settings. Then I just decided not to force the new users into a group (because I don’t actually care about that for this use case) and then it worked. I’ve got some tweaking to do, but man did I go down a rabbit hole with that automated group controller thing.

@Lemonbrain I don’t know if this is helpful for you, but I wrote a readme and have attached it.

# Azure AD to ConcreteCMS Authentication Package
This version 9 package will install the ability to authenticate and register accounts through Azure AD into ConcreteCMS

## Register your app in Azure
 - Log into Azure and navigation to Azure Active Directory 
 -  Select “App Registrations” from the side menu
 - Give your app a name
 - Select "Accounts in this organizational directory only" to limit it to one AD
 - Set "https://[yourdomain.com]/ccm/system/authentication/oauth2/aad/callback" as the callback URI
 - Click "Register"

  ## Configure Azure
  - Create a client secret from the **Overview page** and make sure to copy/paste the value - you cannot retrieve this again, you'll have to delete and regenerate the client secret if you don't save it now.
  - In the **Authentication section**, enable Access tokens (used for implicit flows) and ID tokens (used for implicit and hybrid flows)
  - In the **API Permissions section**, add the following delegated permissions for Microsoft Graph: email, openid, profile, User.Read, User.ReadBasic.All
  - In the **Manifest section** and add the following to the Optional Claims section:

  "optionalClaims": {
		"idToken": [
			{
				"name": "email",
				"source": null,
				"essential": false,
				"additionalProperties": []
			},
			{
				"name": "family_name",
				"source": null,
				"essential": false,
				"additionalProperties": []
			},
			{
				"name": "given_name",
				"source": null,
				"essential": false,
				"additionalProperties": []
			},
			{
				"name": "preferred_username",
				"source": null,
				"essential": false,
				"additionalProperties": []
			}
		],
		"accessToken": [],
		"saml2Token": []
	},

## Install and Configure the package in ConcreteCMS
- Install the package, either through composer or by uploading the  the entire azure_active_directory folder into your server's packages folder via FTP
Go to **Dashboard=>System & Settings=>Authentication Types**
- Click on 'aad'
- Set the following values:

**Authentication Type Display Name:** Azure Active Directory
  
**URL:** (https://login.microsoftonline.com/) 

**Tenant:** Get the "Directory (tenant) ID" from your registered app in Azure Active Directory 

**App ID:** Get the "Application (client) ID" from your registered app in Azure Active Directory

**App Secret:** Get the value (not the ID) from the client secret you created when registering

**Allow automatic registration:** Check this box

**Group to enter on registration:** Leave this as "None" to not have users enter a group, or select a group to have the user auto-enter

Well done! Maybe submit a pull request on the project?