sendnrw/netbird-docs
2
0
Fork 0
mirror of https://github.com/netbirdio/docs.git synced 2026-04-16 07:26:35 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
36b8eb060a1e8d6b152484a0e5670c11f8aec4e2
netbird-docs/docs/integrations/identity-providers/self-hosted/azure-ad.md
Bethuel e17614b813 add correct azure scope value to device flow
2023-05-05 13:15:33 +03:00

6.8 KiB
Raw Blame History

id, title, sidebar_position, tags
id title sidebar_position tags
using-netbird-with-azure-ad Using NetBird with Azure AD 4
integrations
idp
azure
oidc
how-to

This guide is a part of the NetBird Self-hosting Guide and explains how to integrate self-hosted NetBird with Azure AD.

Azure AD is a an enterprise identity service that provides single sign-on and multifactor authentication to your applications. It is a 3rd party managed service and can't be self-hosted.

:::tip self-hosted idp If you prefer to have full control over authentication and authorization of your NetBird network, there are good self-hosted alternatives to the managed Auth0 service like Keycloak. :::

Before you start creating and configuring an Azure AD application, ensure that you have the following:

  • An Azure account: To create an Azure AD application, you must have an Azure account. If you don't have one, sign up for a free account at https://azure.microsoft.com/free/.

  • User account with appropriate permissions: You must have an Azure AD user account with the appropriate permissions to create and manage Azure AD applications. If you don't have the required permissions, ask your Azure AD administrator to grant them to you.

1. Create and configure Azure AD application

In this step, we will create and configure Netbird application in azure AD.

  • Navigate to Azure Active Directory
  • Click App Registrations in the left menu then click on the + New registration button to create a new application.
  • Fill in the form with the following values and click Register
    • Name: Netbird
    • Account Types: Accounts in this organizational directory only (Default Directory only - Single tenant)
    • Redirect URI: select Single-page application (SPA) and URI as https://<yournetbirddomain.com>/silent-auth

2. Platform configurations

  • Click Authentication on the left side menu

  • Under the Single-page application Section, add another URI https://<yournetbirddomain.com>/auth

  • Scroll down and setup other options as on the screenshot below and click Save

3. Create a NetBird application scope

  • Click Expose an API on the left menu
  • Under Application ID URI click Set and then Save
  • Click + Add a Scope
  • Fill in the form with the following values and click Add scope
    • Scope name: api

  • Under Authorized client Applications, click on + add a client application and enter the following:
  • Fill in the form with the following values and click Add application
    • Client ID: same as your Application ID URI minus the api://

4. Add API permissions

  • Add Netbird permissions

    • Click API permissions on the left menu
    • Click Add a permission
    • Click My APIs tab, and select Netbird. Next check api permission checkbox and click Add permissions.

  • Add Delagated permissions to Microsoft Graph

    • Click Add a permission
    • Click Microsoft Graph and then click Delagated permissions tab and check all permissions under the OpenId permissions section and click Add permissions

  • Add Application permissions to Microsoft Graph

    • Click Add a permission
    • Click Microsoft Graph and then click Application permissions tab
    • Search for User.ReadWrite.All and under User sections and check User.ReadWrite.All checkbox section

    • Search for Application.ReadWrite.All and under Application sections and check Application.ReadWrite.All checkbox section and click Add permissions

    • Click Grant admin conset for Default Directory and click Yes

4. Update token version

  • Click Manifest on left menu
  • Search for accessTokenAcceptedVersion and change the value from null to 2
  • Click Save

5. Generate client secret

  • Click Certificates & secrets on left menu
  • Click New client secret
  • Fill in the form with the following values and click Add
    • Description: Netbird
  • Copy Value and save it as it can be viewed only once after creation.

Your authority OIDC configuration will be available under:

https://login.microsoftonline.com/<tenant_id>/v2.0/.well-known/openid-configuration

:::caution Double-check if the endpoint returns a JSON response by calling it from your browser. :::

  • Set properties in the setup.env file:

    NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="https://login.microsoftonline.com/<tenant_id>/v2.0/.well-known/openid-configuration"
NETBIRD_USE_AUTH0=false
NETBIRD_AUTH_CLIENT_ID="<application_id>"
NETBIRD_AUTH_AUDIENCE="<application_id>"
NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID="<application_id>"
NETBIRD_AUTH_REDIRECT_URI="/auth"
NETBIRD_AUTH_SILENT_REDIRECT_URI="/silent-auth"
NETBIRD_AUTH_USER_ID_CLAIM="oid"

  • You can now continue with the NetBird Self-hosting Guide.

  • Set property IdpManagerConfig in the management.json file with: :::caution The file management.json is created automatically. Please refer here for more information. :::

    {
  "ManagerType": "azure",
  "AzureClientCredentials": {
      "ClientID": "<application_id>",
      "ClientSecret": "<client_secret>",
      "GrantType": "client_credentials",
      "ObjectID": "<object_id>",
      "TokenEndpoint": "https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token",
      "GraphAPIEndpoint": "https://graph.microsoft.com/v1.0"
  }
}

  • Modify the value of the AUTH_SUPPORTED_SCOPES environment variable for the dashboard service in the docker-compose.yml file to openid profile email offline_access api://<application_id>/api.

  • Modify Scope value in DeviceAuthorizationFlow within the management.json to api://<application_id>/api.

Reference in New Issue View Git Blame Copy Permalink