View Source

Configuration for config.js (required)

copy config.example and rename file to config.js. replace secret with a random generated secret. You can use for example https://randomkeygen.com/

Cofiguration for azure-config.js (required for Active Directory Authentication)

copy azure-config.example and rename file to azure-config.js.

const config = {
    path: '/login',
	clientID: '87f210d2-d3af-43dd-ba98-07adaff3e791',
	resource: '00000002-0000-0000-c000-000000000000',
	clientSecret: 'xxxx?=xxxxxx_xxxxxx?EQphp_e0[=5',
	identityMetadata: 'https://login.microsoftonline.com/24981a26-eb7a-4f13-95d4-66827d36dec8/.well-known/openid-configuration',
	responseType: 'code', 
	responseMode: 'form_post', 
	redirectUrl: 'https://login.akiomacloud.de/auth/openid/return', 
	allowHttpForRedirectUrl: false,
	validateIssuer: false,
	issuer: null,
	passReqToCallback: false,
	loggingLevel: 'error',
	nonceLifetime: null,
	nonceMaxAmount: 5,
	clockSkew: null
};
module.exports = config;

In order to setup your own Azure installation you need to setup the following settings in the azure-config.js file:

1. Login to azure under
https://portal.azure.com/

2. Under App Registrations, register your new application.
It will ask you for name, supported accounts and redirect uri
Name and supported accounts please setup as per your preferences.
Redirect url required is https://login.akiomacloud.de/auth/azure/openid/return
where https://login.akiomacloud.de would be the domain running the Node.js server

Build.One Documentation > Authentication via Azure AD > newregistration.png

2. Update the metadata link in azure-config.js with the new tenant information

identityMetadata: 'https://login.microsoftonline.com/24981a26-eb7a-4f13-95d4-66827d36dec8/.well-known/openid-configuration'

Where '24981a26-eb7a-4f13-95d4-66827d36dec8' is the tenant id (see screenshot)

Build.One Documentation > Authentication via Azure AD > tenant.png

3. Update the new clientID in the azure-config.js file to match your application clientID.

clientID: '87f210d2-d3af-43dd-ba98-07adaff3e791',

(see screenshot)

4. Go to the newly registered application settings and generate a new secret key. Use this key in the config file for azure(azure-config.js)

clientSecret: 'xxxxx?=xxxxxx_xxxxxx?EQphp_e0[=5'

This can be found in the application settings, App Registrations -> select application -> under Certificates & secrets
(see screenshot)

Build.One Documentation > Authentication via Azure AD > certificates.png

5. After setting up all the required configuration, restart your Node.js server and you are good to go!

Options for the Active Directory configuration file

path : path for login authentication, '/login' will setup a new http route at 'auth/azure/login' for authentication
clientID : the clientID key required for the login. This will be automatically placed in the login request as a form paramenter
resource : your app id uri
clientSecret : When responseType is not id_token, we have to provide client credential to redeem the authorization code.
identityMetadata : The metadata endpoint provided by the Microsoft Identity Portal that provides the keys and other important information at runtime.
responseType : Must be 'code', 'code id_token', 'id_token code' or 'id_token'. For login only flows you can use 'id_token'; if you want access_token, use 'code', 'code id_token' or 'id_token code'.
responseMode : Must be 'query' or 'form_post'. This is how you get code or id_token back. 'form_post' is recommended for all scenarios.
redirectUrl : Must be a https url string, unless you set allowHttpForRedirectUrl to true. This is the reply URL registered in AAD for your app. Production environment should always use https for redirectUrl.
allowHttpForRedirectUrl : Required to set to true if you want to use http url for redirectUrl like http://localhost:3000.
validateIssuer : Required to set to false if you don't want to validate issuer, default value is true. We validate the iss claim in id_token against user provided issuer values and the issuer value we get from tenant-specific endpoint. If you use common endpoint for identityMetadata and you want to validate issuer, then you have to either provide issuer, or provide the tenant for each login request using tenantIdOrName option in passport.authenticate
issuer : This can be a string or an array of strings. See validateIssuer for the situation that requires issuer.
passReqToCallback : Required to set to true if using req as the first paramter in the verify function, default value is false. See section 5.1.1.3 for more details.
loggingLevel : Logging level. 'info', 'warn' or 'error'.
nonceLifetime : The lifetime of nonce in session in seconds. The default value is 3600 seconds.
nonceMaxAmount : The max amount of nonce you want to keep in session or cookies. The default number is 10.
clockSkew : This value is the clock skew (in seconds) allowed in token validation. It must be a positive integer. The default value is 300 seconds.

In the PASOE config file, the configuration required for setting the generic login screen and azure authentication

eg.

<LoginScreen>loginGenericW</LoginScreen>

For the Authentication in Node.js we also need to provide the URL:

eg.

<ssoAuthenticationURI>https://login.akiomacloud.de/auth</ssoAuthenticationURI>

The allowed authentication for Azure is called AzureActiveDirectory. You can specify one authentication or multiple authentication strategies via a comma delimited list.

eg.

<AllowedAuthentication>AzureActiveDirectory,AkiomaUser</AllowedAuthentication>