[AzureAD] Only allows display name or email #499
Comments
|
Thank you for opening your first issue in this project! Engagement like this is essential for open source projects! 🤗 |
scilab9000
changed the title
|
Solution#1: :::Example::: #This works to get email to match via sssd and jupyterhub_config.py Solution#2 :::Example::: Solution#3 :::Reference::: |
|
Is this actually a bug, or should this issue be marked "enhancement", or is there another tag that would make more sense? Or is the issue at this point in fact neither a bug nor an enhancement request, but rather a concern that the code in oauthenticator works as designed but we are finding we can use only a handle of AD attributes for the ldap_user_name and c.AzureAdOAuthenticator.username_claim so we're looking for some help in understanding how we can use others, and that might mean changing something within our AzureAD config to make those attributes available? |
consideRatio
changed the title
|
You can do this by customizing the token claims without needing an enhancement for the authenticator or calling graph: https://learn.microsoft.com/en-us/azure/active-directory/develop/jwt-claims-customization |
Quick_view: We want AzureAD.py oauthenticator to retrieve the username, uid, or sAMAccountName to match sssd.conf OR alternate solution.
OS: Ubuntu 18.04
Version: Jupyterhub version 2.2.2
Authentication: oauthenticator.azuread.AzureAdOAuthenticator-14.2.0dev
Additional Setup : SSSD > AD > Points to sAMAccountName
Issue: Using c.AzureAdOAuthenticator.username_claim = 'unique_name' this retrieves the email or upn . Jupyterhub fails to load if that directory does not exist and that user does not have permissions on that directory. It is impossible to create a user with an @ sign. This rules out using email to authenticate. If I remove username_claim config, this then uses the display name. I was able to get this working by changing the dispalyname to the username, though it breaks some email functionality, so not a solution. Ideally I am looking for the right attribute that retrieves the uid or sAMAccountName, so this matches our SSSD > AD integration OR simply describing where the missing logic exists.
Jupyterhub_config.py :
##Azure AD MFA Test###
import os
from oauthenticator.azuread import AzureAdOAuthenticator
c.JupyterHub.authenticator_class = AzureAdOAuthenticator
c.Application.log_level = 'DEBUG'
c.AzureAdOAuthenticator.tenant_id = 'tenant_id_here'
c.AzureAdOAuthenticator.oauth_callback_url = 'https://domain_OR_IP/hub/oauth_callback'
c.AzureAdOAuthenticator.client_id = 'client_id_here'
c.AzureAdOAuthenticator.client_secret = 'client_secret_here'
c.AzureAdOAuthenticator.scope = ['openid','profile']
#Uncomment the line below to use the display name instead
c.AzureAdOAuthenticator.username_claim = 'unique_name'
###Server Config###
c.JupyterHub.ssl_key = '/etc/ssl/private/private-ssl.key'
c.JupyterHub.ssl_cert = '/etc/ssl/certs/private-ssl.crt'
c.JupyterHub.ip = 'ip_address_here'
c.JupyterHub.port = 443
###Admin Spawner###
c.JupyterHub.admin_access = True
###PAM Auth Admins###
c.PAMAuthenticator.admin_groups = {'sudo'}
###Notebook Idle Shutdown###
c.ServerApp.shutdown_no_activity_timeout = 60 * 60
c.MappingKernelManager.cull_idle_timeout = 20 * 60
c.MappingKernelManager.cull_interval = 2 *60
sssd.conf:
[sssd]
domains = domain.com
config_file_version = 2
services = nss, pam, ssh
debug_level = 3
[nss]
debug_level = 3
[pam]
debug_level = 3
[domain/domain.com]
debug_level = 3
enumerate = false
case_sensitive = false
min_id = 100
id_provider = ldap
auth_provider = ldap
access_provider = simple
chpass_provider = ldap
ldap_schema = schema-here
ldap_id_use_start_tls = true
ldap_tls_reqcert = allow
ldap_user_search_base = OU=Users,OU=domain-Users,dc=domain,dc=com
ldap_group_search_base = OU=Groups,OU=domain-Users,dc=domain,dc=com
ldap_user_object_class = user
ldap_user_principal = userPrincipalName
ldap_user_name = sAMAccountName
ldap_user_gecos = displayName
ldap_group_object_class = group
ldap_group_name = sAMAccountName
ldap_user_home_directory = unixHomeDirectory
fallback_homedir = /home/%u
default_shell = /bin/bash
ldap_user_extra_attrs = altSecurityIdentities:altSecurityIdentities
ldap_user_ssh_public_key = altSecurityIdentities
ldap_uri = ldap://ad-domain.com,ldap://ad-domain.com
ldap_default_bind_dn = CN=AccountName,OU=Service,OU=Users,OU=domain-Users,DC=domain,DC=com
ldap_default_authtok_type = password
ldap_default_authtok = passwrod_here
#Access settings via simple
simple_allow_groups = groups-allowed
R&D:
I was experimenting changing the unique_name attribute ( c.AzureAdOAuthenticator.username_claim = 'unique_name' ) based on what attributes are available regarding Azure Oauth2 scopes listed in the config ( c.AzureAdOAuthenticator.scope = ['openid','profile'] ) , I found that most of these attributes are unusable, please help with this, we have reached a dead end.
['aud', 'iss', 'iat', 'nbf', 'exp', 'amr', 'family_name', 'given_name', 'name', 'oid', 'preferred_username', 'rh', 'sub', 'tid', 'uti', 'ipaddr', 'name', 'oid', 'onprem_sid', 'rh', 'sub', 'tid', 'unique_name', 'upn', 'ver']
aud = Long string of numbers
Iss = 403 : Forbidden
Iat = 500 : Internal Server Error
Nbf = 500 : Internal Server Error
name = 500 : Internal Server Error ( does show name, doesnt work )
Uid = 500 : Internal Server Error
Preferred_username = 500 : Internal Server Error
sAMAccountName = 500 Internal server error
The text was updated successfully, but these errors were encountered: