Skip to content

Authorization strategies

Jump to bottom
Thomas Schaffter edited this page Jul 28, 2019 · 1 revision

Enabling authentication strategies

The portal implements multiple authentication strategies:

  • local
  • Google OAuth 2.0
  • Google SAML
  • Microsoft Azure AD OpenID Connect
  • Roche Azure AD OpenID Connect (also referred to as phccp strategy)

These strategies can be enabled using environment variables. If a strategy is enabled, this strategy will be active on both the server and client side of the portal. Below are the conditions used to enable a given authentication strategy.

  • local: available only in development
  • Google OAuth 2.0: the environment variable OAUTH_GOOGLE_ID must be specified.
  • Google SAML: the environment variable SAML_GOOGLE_ENTRY_POINT must be specified.
  • Microsoft Azure AD OpenID Connect: the environment variable AZUREAD_OPENIDCONNECT_CLIENT_ID must be specified.
  • Roche Azure AD OpenID Connect: the environment variable ROCHE_AZURE_AD_CLIENT_ID must be specified.

Configuring Google OAuth 2.0

  1. Log into https://console.developers.google.com/
  2. Select a project from "sagebase.org"
  3. From the left menu, click on "Credentials"
  4. Click on the button "Create credentials"
  5. Fill in the form
  1. Copy Client ID and Client secret
  2. Set the following environment variables used by the portal
  • OAUTH_GOOGLE_ID: value of Client ID
  • OAUTH_GOOGLE_SECRET: value of Client secret

Configuring Google SAML

  1. Log into https://admin.google.com
  2. Click on "Apps", then on "SAML apps"
  3. Fill in the form
  1. Edit Attribute Mapping
  • firstname from Basic Information > First Name
  • lastName from Basic Information > Last Name
  • primaryEmail from Basic Information > Primary Email
  1. Set the following environment variables used by the portal
  • SAML_GOOGLE_ENTRY_POINT: Value of Service Provider Details > Manage certificates > SSO URL
  • SAML_GOOGLE_ISSUER: phccp-dev

Configuring Microsoft Azure AD OpenID Connect

If you would like to explore using Azure Active Directory (AD) authentication with OpenID Connect (OIDC), you will need to configure your own Azure AD setup on the Azure portal.

Configure Azure Active Directory (AD)

To create a new Azure AD application, simply click on the + symbol - Create a resource.

Find Azure Active Directory to create a new Azure AD resource:

  • Organization name - Use whatever you would like. This guide will use rbtestazuread as an example.
  • Initial domain name - Use whatever you would like. This guide will use rbtestazuread as an example; rbtestazuread.onmicrosoft.com will be auto-generated
  • Create

Create a new app registration for Azure AD

Navigate to your newly created Azure Active Directory and find App registrations (located underneath the Manage section).

Click on New registration - this will be the application our azuread-openidconnect will authenticate against:

  • Name - This is a friendly display name for the application. This guide will use [DEMO] Azure AD as an example.
  • Support account types - If you would like to restrict users to this newly created Active Directory, the default option of Accounts in this organizational directory only (rbtestazuread) is fine.
    • If you would like to allow users defined in your Azure Active Directory - or any user with a Microsoft account - to authenticate, you may select Accounts in any organizational directory and personal Microsoft accounts (e.g. Skype, Xbox, Outlook.com)
  • Redirect URI - This must be an HTTPS address. If you have a dedicated HTTPS address - such as through using an ngrok tunnel to your locally running server - you can create a new Web redirect URI with a value of https://some.example.com/auth/azuread-openidconnect/callback
  • Register

Define environment variables

Once you have created your Azure AD application, you will need to create the following environment variables:

export AZUREAD_OPENIDCONNECT_IDENTITY_METADATA=https://login.microsoftonline.com/0aeec3ea-a03d-4f3c-8161-58fc588c3611/v2.0/.well-known/openid-configuration
export AZUREAD_OPENIDCONNECT_CLIENT_ID=a93c6ff1-9d42-498b-93d0-ef8eccb2e6e7

AZUREAD_OPENIDCONNECT_CLIENT_ID will appear in the overview of your newly created app registration. Underneath Display name you will see Application (client) ID - this is the value you will want to use.

In the overview section of your newly created app registration, you will find an icon titled Endpoints - which will open a list of useful endpoints. Find the URL for the OpenID Connect metadata document and use this value for your AZUREAD_OPENIDCONNECT_IDENTITY_METADATA environment variable.

If you need to modify your current Redirect URI - or perhaps add several more - you may do so in the Redirect URIs section.

Configuring Roche Azure AD OpenID Connect

This directory contains the configuration for integration with the Azure Active Directory (AD) managed and maintained by Roche.

Defining environment variables

You will need to have the following environment variables defined for single-sign-on (SSO) authentication to work against the Roche Azure Active Directory (AD) setup:

# Roche Azure AD
export ROCHE_AZURE_AD_IDENTITY_METADATA=
export ROCHE_AZURE_AD_CLIENT_ID=
export ROCHE_AZURE_AD_CLIENT_SECRET=

Please consult with your team and/or contacts at Roche for the appropriate credentials.

Application configuration

Please review server/config/environment/index.js for details regarding the Roche configuration (currently identified as rocheAzureAD).

One important note is that the callback URL MUST BE AN HTTPS address.

Clone this wiki locally