Azure Active Directory Authentication

Flagreon · June 18, 2021, 1:29pm

Hi, new to the Plone community so I apologize if there is an obvious answer to this question.

We are looking to utilize Plone to replace some business enterprise applications, In order to do that we need to be able to authenticate our users with Azure AD instead of the typical Plone authentication. Now I'm sure we could do that on the front end with MSAL.js but we really need to be able to tie the user accounts in with the workflows, e.g. so that Person@OurDomain.com is responsible for moving a workflow from one state to the next.

Could someone give me an idea of what all is involved in setting that up and point me to any resources out there that may help with that?

Not sure if it matters or not but we are looking to use Volto as well.

Thanks!

tisto · June 18, 2021, 1:54pm

Welcome to the Plone community, Jeremy!

To connect to your AD/LDAP I would recommend using:

When you need SSO in a windows environment this might be worth a shot (though, this does not work with the latest Plone versions and would require an update):

When it comes to auth, there is nothing special about Volto here. This is handled by the backend in any case and Volto just does the initial authentication via the login form (as Plone classic via the ZPT form).

Flagreon · June 18, 2021, 2:13pm

Thanks I will take a look at these!

One more (hopefully) quick question, in the setup for pas.plugins.ldap it says

Run buildout. Restart Plone.
Then go to the Plone control-panel, select extensions and install the LDAP Plugin.
A new LDAP Settings icon appear on the left. Click it and configure the plugin there.
To use an own integration-profile, add to the profiles metadata.xml file:

Is the Plone control-panel it's referencing supposed to be /Plone/@@overview-controlpanel or Control_Panel/manage_main, either way I'm not seeing an option to do the install, this is my buildout.cfg

[buildout]

# use this extend one of the buildout configuration:
extends =
# -*- mrbob: extra extends -*-
#    test_plone43.cfg
#    test_plone50.cfg
#    test_plone51.cfg
    test_plone52.cfg

eggs =
    plone.restapi
    pas.plugins.ldap

zcml = 
    pas.plugins.ldap

tisto · June 18, 2021, 2:45pm

You need to run "bin/buildout" first after you amended the buildout.cfg. Then start the instance and then you should see the add-on in the add-ons control panel.

djay · June 18, 2021, 3:15pm

I believe Azure AD is SAML so you need something more like collective.saml2

https://docs.microsoft.com/en-us/azure/active-directory/develop/single-sign-on-saml-protocol

jensens · June 21, 2021, 10:02am

Azure AD speaks

LDAP,
OAUTH2 and OpenID Connect - which is OAuth2+unified way to get the user info
SAML

So choose your enemy

At the moment LDAP (pas.plugins.ldap) and SAML (collective.saml) are relatively easy to use with Plone.
OAuth2 is possible too with pas.plugins.authomatic, but theres no OIDC userinfo support so far AFAIK.

[edit 08/2023]
FTR, there is also pas.plugins.oidc now
[/edit]