Entra/Azure SSO
Has anyone got homarr setup using Azure SSO yet?
Im currently getting the error that the groups scope doesnt exist but I'm not sure where to define that
13 Replies
Hi, Azure probably doesn't support this scope. @Meierschlumpf I think you're already aware of this, right? How easy can we make this configurable?
I mean we could just add another env variable. The issue with that seems to lie in the groups that I haven't found out if they are supported by azure:
Does Azure show what groups it has out of the box?
My SSO knowledge is somewhat limited, sorry
Not sure either, I thought that it needs to be enabled, maybe thats all and we don't need a new scope variable
Okay just tried it out and it seems like it would include groups for tenant accounts, but not for my personal account. I'm gonna make a pull request and image so you can try it out
In a few minutes there should be an image with the tag
add-env-for-oidc-scopes
ready for you to try, you can then configure the environment varaible AUTH_OIDC_SCOPE_OVERWRITE
to overwrite the scope to openid email profile
. If you have groups enabled in the token it should work also with the roles. Otherwise it will show a warning in the console when your azure ad does not support those @HAVOCOoo thank you!! I’ll try it once I get home :)
And I’ll let you know how I get on
Interesting that you were able to get tenant accounts to show the groups scope since I was unable too
Maybe I missed a setting
I wasn't able to do it eigther within the azure portal, just remembered that we were able to do it at work
I got it working:
I've added an app registration with the following options:
Name: Homarr
Supported account types: Accounts in this organizational directory only (Default Directory only - Single tenant)
Redirect URI: Web / https://homarr.example.com/api/auth/callback/oidc
After registering I created a client secret over client credentials and copied the value to the env variables
Then I went to the API Permissions and added the delegated graph permissions
email
, openid
and profile
After that I created a group with Microsoft Entra ID and assigned myself as member.
Finally I went to Token configuration and added a groups claim for security groups.
After that I was able to get a groups array when authenticating.
Now you can just copy the group id from azure and define them as AUTH_OIDC_ADMIN_GROUP
and AUTH_OIDC_OWNER_GROUP
@HAVOCOh awesome!! I’m not home for another 6 ish hours but I will test when I can
Nice 😄
looks like its working! only issue im having now is since i have it behind a proxy homarr is making the redirect uri http://localhost:7575, ive set the base url in the enviroment varibles to match my proxied url but it doesnt seem to have fixed it
ill keep playing around and see if i can get that working
just tested with a temp container on my pc, can confirm its working!
managed to fix this by putting NEXTAUTH_URL="https://my.domain.here" in the env varibles
So everything is working now including the admin groups
thank you for your help!!
About the redirect we're gonna fix that as well (hopefully)
@Meierschlumpf is it possible to get the users name to show instead of there email? Or is that not possible with the current setup
I will check that
Not ideal for the current setup, especially because the username differs for different providers
Thought as much, thank you for looking :)