OAuth 2.0 Integration with Azure Active Directory
Below is an example of configuration values in Panopticon.properties when doing SSO integration of Panopticon with Azure Active Directory. The example values are explained in this table:
| Value | Explanation |
|
https://myhost:8443/panopticon |
The URL where Panopticon is accessed. |
|
dfe52dce-6a65-4ebf-85c0-155c45782ad6 |
Panopticon client id from Azure app. |
|
ptB8Q~lKsqdSOLEKDFKc0eUgsDazpE5aEgvFUebG3 |
Panopticon client secret from Azure app. |
|
2bae5b57-0eb8-48fb-ba47-990259sk45kj |
Azure tenant id. |
|
https%3A%2F%2Fmyhost%2Flogout |
URL-encoded https://myhost/logout. |
Panopticon.properties example configuration:
authentication.oauth2.client.id=dfe52dce-6a65-4ebf-85c0-155c45782ad6
authentication.oauth2.client.secret=ptB8Q~lKsqdSOLEKDFKc0eUgsDazpE5aEgvFUebG3
authentication.oauth2.identity.attribute.roles.pattern=
authentication.oauth2.identity.attribute.roles=groups
authentication.oauth2.identity.attribute.username=email
authentication.oauth2.identity.method=HEADER
authentication.oauth2.identity.url=https\://graph.microsoft.com//oidc/userinfo
authentication.oauth2.login.callback.url=https\://myhost\:8443/panopticon/server/rest/auth/login
authentication.oauth2.login.redirect.url=https\://myhost\:8443/panopticon
authentication.oauth2.login.response.type=code
authentication.oauth2.login.scope=openid profile
authentication.oauth2.login.url=https\://login.microsoftonline.com/2bae5b57-0eb8-48fb-ba47-990259sk45kj/oauth2/v2.0/authorize
authentication.oauth2.logout.redirect.url=
authentication.oauth2.logout.url=https://login.microsoftonline.com/2bae5b57-0eb8-48fb-ba47-990259sk45kj/oauth2/v2.0/logout?post_logout_redirect_uri=https%3A%2F%2Fmyhost%2Flogout
authentication.oauth2.token.method=
authentication.oauth2.token.url=https\://login.microsoftonline.com/2bae5b57-0eb8-48fb-ba47-990259sk45kj/oauth2/v2.0/token
authentication.required=true
NOTE:
- The value of the authentication.oauth2.logout.url property (i.e., https://login.microsoftonline.com/2bae5b57-0eb8-48fb-ba47-990259sk45kj/oauth2/v2.0/logout?post_logout_redirect_uri=https%3A%2F%2Fmyhost%2Flogout) must also be registered as the Logout URL value in the Azure app configuration.
- The parameter post_logout_redirect_uri is set to a URL different from the URL of the Panopticon server, this is because, if the user is redirected back to the Panopticon server at logout, there will be an immediate re-login of the user in the Panopticon application due to the SSO integration with Azure AD.
- For the authentication.oauth2.identity.attribute.roles property, Microsoft recommends that user roles are handled by creating app roles that map to AD user and/or groups, instead of using AD groups directly. The maximum number of groups that the AD will return is 50.
(c) 2013-2024 Altair Engineering Inc. All Rights Reserved.