sendnrw/netbird-docs
2
0
Fork 0
mirror of https://github.com/netbirdio/docs.git synced 2026-04-16 07:26:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

add docs for setup NetBird with Azure AD as IDP

Browse Source
This commit is contained in:
Bethuel
2023-04-23 20:42:34 +03:00
parent d95022d98e
commit cb03373f8f
15 changed files with 152 additions and 88 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
docs/integrations/identity-providers/self-hosted/available-integrations.md
View File

@@ -12,4 +12,5 @@ NetBird supports generic OpenID (OIDC) protocol allowing for the integration wit
List of available guides:
- [Auth0](/integrations/identity-providers/self-hosted/using-netbird-with-auth0) (managed service)
- [Azure AD](/integrations/identity-providers/self-hosted/using-netbird-with-azure-ad) (managed service)
- [Keycloak](/integrations/identity-providers/self-hosted/using-netbird-with-keycloak)

151
docs/integrations/identity-providers/self-hosted/azure-ad.md Normal file
View File

@@ -0,0 +1,151 @@
---
id: using-netbird-with-azure-ad
title: Using NetBird with Azure AD
sidebar_position: 4
tags:
- integrations
- idp
- azure
- oidc
- how-to
---
This guide is a part of the [NetBird Self-hosting Guide](/getting-started/self-hosting) and explains how to integrate **self-hosted** NetBird with [Azure AD](https://azure.microsoft.com/en-us/products/active-directory/).
Azure AD is a an enterprise identity service that provides single sign-on and multifactor authentication to your applications.
It is a 3rd party managed service and can't be self-hosted.
:::tip self-hosted idp
If you prefer to have full control over authentication and authorization of your NetBird network, there are good
self-hosted alternatives to the managed Auth0 service like [Keycloak](/integrations/identity-providers/self-hosted/using-netbird-with-keycloak).
:::
Before you start creating and configuring an Azure AD application, ensure that you have the following:
- An Azure account: To create an Azure AD application, you must have an Azure account. If you don't have one, sign up for a free account at https://azure.microsoft.com/free/.
- User account with appropriate permissions: You must have an Azure AD user account with the appropriate permissions to create and manage Azure AD applications. If you don't have the required permissions, ask your Azure AD administrator to grant them to you.
### 1. Create and configure Azure AD application
In this step, we will create and configure Netbird application in azure AD.
- Navigate to [Azure Active Directory](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Overview)
- Click `App Registrations` in the left menu then click on the `+ New registration` button to create a new application.
- Fill in the form with the following values and click Register
- Name: `Netbird`
- Account Types: `Accounts in this organizational directory only (Default Directory only - Single tenant)`
- Redirect URI: select `Single-page application (SPA)` and URI as `https://<yournetbirddomain.com>/silent-auth`
![](/img/integrations/identity-providers/self-hosted/azure-new-application.png)
### 2. Platform configurations
- Click `Authentication` on the left side menu
- Under the `Single-page application` Section, add another URI `https://<yournetbirddomain.com>/auth`
![](/img/integrations/identity-providers/self-hosted/azure-spa-uri-setup.png)
- Scroll down and setup other options as on the screenshot below and click Save
![](/img/integrations/identity-providers/self-hosted/azure-flows-setup.png)
### 3. Create a NetBird application scope
- Click `Expose an API` on the left menu
- Under `Application ID URI` click `Set` and then `Save`
- Click `+ Add a Scope`
- Fill in the form with the following values and click `Add scope`
- Scope name: `api`
![](/img/integrations/identity-providers/self-hosted/azure-add-scope.png)
- Under `Authorized client Applications`, click on `+ add a client application` and enter the following:
- Fill in the form with the following values and click `Add application`
- Client ID: same as your Application ID URI minus the `api://`
![](/img/integrations/identity-providers/self-hosted/azure-add-application-scope.png)
### 4. Add API permissions
- Add `Netbird` permissions
- Click `API permissions` on the left menu
- Click `Add a permission`
- Click `My APIs` tab, and select `Netbird`. Next check `api` permission checkbox and click `Add permissions`.
![](/img/integrations/identity-providers/self-hosted/azure-netbird-api-permisssions.png)
- Add `Delagated permissions` to Microsoft Graph
- Click `Add a permission`
- Click `Microsoft Graph` and then click `Delagated permissions` tab and check all permissions under the `OpenId permissions` section and click `Add permissions`
![](/img/integrations/identity-providers/self-hosted/azure-openid-permissions.png)
- Add `Application permissions` to Microsoft Graph
- Click `Add a permission`
- Click `Microsoft Graph` and then click `Application permissions` tab
- Search for `User.ReadWrite.All` and under `User` sections and check `User.ReadWrite.All` checkbox section
![](/img/integrations/identity-providers/self-hosted/azure-user-permissions.png)
- Search for `Application.ReadWrite.All` and under `Application` sections and check `Application.ReadWrite.All` checkbox section and click `Add permissions`
![](/img/integrations/identity-providers/self-hosted/azure-applications-permissions.png)
- Click `Grant admin conset for Default Directory` and click `Yes`
![](/img/integrations/identity-providers/self-hosted/azure-grant-admin-conset.png)
### 4. Update token version
- Click `Manifest` on left menu
- Search for `accessTokenAcceptedVersion` and change the value from `null` to `2`
- Click `Save`
### 5. Generate client secret
- Click `Certificates & secrets` on left menu
- Click `New client secret`
- Fill in the form with the following values and click `Add`
- Description: `Netbird`
- Copy `Value` and save it as it can be viewed only once after creation.
![](/img/integrations/identity-providers/self-hosted/azure-client-secret.png)
Your authority OIDC configuration will be available under:
```
https://login.microsoftonline.com/<tenant_id>/v2.0/.well-known/openid-configuration
```
:::caution
Double-check if the endpoint returns a JSON response by calling it from your browser.
:::
- Set properties in the `setup.env` file:
```json
NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="https://login.microsoftonline.com/<tenant_id>/v2.0/.well-known/openid-configuration"
NETBIRD_USE_AUTH0=false
NETBIRD_AUTH_CLIENT_ID="<application_id>"
NETBIRD_AUTH_AUDIENCE="<application_id>"
NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID="<application_id>"
NETBIRD_AUTH_REDIRECT_URI="/auth"
NETBIRD_AUTH_SILENT_REDIRECT_URI="/silent-auth"
NETBIRD_AUTH_USER_ID_CLAIM="oid"
```
- You can now continue with the [NetBird Self-hosting Guide](/getting-started/self-hosting#step-3-configure-identity-provider).
- Set property `IdpManagerConfig` in the `management.json` file with:
:::caution
The file management.json is created automatically. Please refer [here](/getting-started/self-hosting#step-5-run-configuration-script) for more information.
:::
```json
{
"ManagerType": "azure",
"AzureClientCredentials": {
"ClientID": "<application_id>",
"ClientSecret": "<client_secret>",
"GrantType": "client_credentials",
"ObjectID": "<object_id>",
"TokenEndpoint": "https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token",
"GraphAPIEndpoint": "https://graph.microsoft.com/v1.0"
}
}
```
- Modify the `api` scope within dashboard enviroment variable `AUTH_SUPPORTED_SCOPES` located in docker-compose.yml to `api://<application_id>/api`.

88
docs/integrations/identity-providers/self-hosted/azure-sso.md.disabled
View File

@@ -1,88 +0,0 @@
---
id: using-netbird-with-azure-sso
title: Using NetBird with Azure SSO
sidebar_position: 4
tags:
- integrations
- idp
- azure
- oidc
- how-to
---
This guide is a part of the [NetBird Self-hosting Guide](/getting-started/self-hosting) and explains how to integrate
**self-hosted** NetBird with [Azure SSO](https://azure.microsoft.com/en-us/solutions/active-directory-sso/#overview).
This is an organized collection of instructions gathered from the [Netbird Slack](https://netbirdio.slack.com/)
There are five properties of the **`setup.env`** file that we will configure in this guide:
- `NETBIRD_AUTH_CLIENT_ID`
- `NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT`
- `NETBIRD_USE_AUTH0`
- `NETBIRD_AUTH_AUDIENCE`
- `NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID`
- `NETBIRD_AUTH_DEVICE_AUTH_PROVIDER`
- `NETBIRD_AUTH_REDIRECT_URI`
- `NETBIRD_AUTH_SILENT_REDIRECT_URI`
In Azure, Navigate to **Azure Active Directory**, and click on **App Registrations** in the left hand menu. Once there, Click on **New registration** across the top menu bar.
- Write a name for your application and choose who can access your application.
- For Redirect URI, Choose Single-page Application(SPA). for the next box, type your netbird.domainname + auth. E.g `https://netbird.mydomainname.com/auth`. Keep the `auth` in mind as this will be your value for `NETBIRD_AUTH_REDIRECT_URI`
- On this next page, copy the `Application (client) ID`. This will be the value for the following:
- `NETBIRD_AUTH_AUDIENCE`
- `NETBIRD_AUTH_CLIENT_ID`
- `NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID`
### 1. Authentication
Within the same section (App Registrations), navigate to **Authentication** via the left hand menu. Once there, perform the following:
- Under the Single-page Application Section, Add another URI with the following value: `https://yournetbirddomain.com/silent-auth`. The `silent-auth` section of the url is the value for `NETBIRD_AUTH_SILENT_REDIRECT_URI`
- You should have two URI's listed similar to these:
- `https://yournetbirddomain.com/auth`
- `https://yournetbirddomain.com/silent-auth`
- Scroll down and check off the following two boxes:
- `Access tokens (used for implicit flows)`
- `ID tokens (used for implicit and hybrid flows)`
### 2. Expose API
Next, on the left hand menu, click on **Expose an API**. Next, set an `Application ID URI`. You can choose the default value as is, or set your own. Click on **Add a Scope**, and enter the following:
- **Scope Name:** `api`
- The rest you can choose as your work requires it.
Next under **Authorized client Applications**, click on **add a client application** and enter the following:
- **Client ID**: This is the same as your Application ID URI minus the `api://`. See the picture below as a reference
- **Authorized Scopes:** The correct scope will contain your **Client ID** used in the above step. The correct Authorized Scope will be similar to `api://YOUR_CLIENT_ID/api` (api is the value of the name of the scope we defined before.)
![](/img/integrations/identity-providers/self-hosted/azure_api_scope.png)
### 3. API permissions
Under **API Permissions**, click on **Add a permission**. On the next screen that pops up, click on **My APIs**, and select the API that matches with your **Application Client ID**. Next Select the scope we created in the earlier steps.
### 4. Manifest
On the left hand Menu, click on **Manifest**. On the next page, search for `accessTokenAcceptedVersion` and change the value from `null` to `2`.
### 5. Continue with the self-hosting guide
Your authority OIDC configuration will be available under:
```
https://login.microsoftonline.com/YOUR-DIRECTORY(TENANT)-ID/v2.0/.well-known/openid-configuration
```
:::caution
Double-check if the endpoint returns a JSON response by calling it from your browser.
:::
- Set properties in the `setup.env` file:
- NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT=`https://login.microsoftonline.com/YOUR-DIRECTORY(TENANT)-ID/v2.0/.well-known/openid-configuration`
- this can be grabbed by clicking on `Endpoints` in your App's **App Registration* Over Page.
- NETBIRD_AUTH_CLIENT_ID=**YOUR APPLICATION (client) ID**
- This can be grabbed from your App's **App Registration** Overview page
- NETBIRD_AUTH_AUDIENCE=**YOUR APPLICATION (client) ID**
- NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID=**YOUR Application (client) ID**. Optional,
- NETBIRD_USE_AUTH0=`false`
- NETBIRD_AUTH_DEVICE_AUTH_PROVIDER=`hosted`
- NETBIRD_AUTH_REDIRECT_URI=`/auth`
- NETBIRD_AUTH_SILENT_REDIRECT_URI=`/silent-auth`
- You can now continue with the [NetBird Self-hosting Guide](/getting-started/self-hosting#step-3-configure-identity-provider).