Consuming identities from Entra ID IdP
CAS can act as a client (i.e. service provider or proxy) using the Pac4j library and delegate the authentication to Entra ID IdP. This guide describes how to connect IAM appliance authentication to Entra ID. The procedure described below assumes the use of one tenant. In the case of multiple tenants, the procedure may be different.
Registering CAS at Entra ID IdP
Firstly, we will need to go through an app registration from the Entra ID portal. The steps to perform the registration can be found here. When asked for the Redirect URL, use:
https://iam-example.com/cas/login?client_name=azuread (1)
| 1 | The selected client_name must match the cas.authn.pac4j.oidc[0].azure.client-name attribute in the CAS configuration. |
For the CAS configuration, we will need the following information, which we will obtain after registering the application in Entra ID. The table below shows sample values:
| Entra ID information | Example value | CAS properties |
|---|---|---|
Tenant ID |
|
|
Azure ID |
|
|
Azure secret |
|
|
Tenant name |
|
|
Azure scope |
|
|
Example CAS properties configuration
-
First we need to change CAS properties. Create following file called
002_azure_authorization.propertiesin the/data/volumes/cas/cas.properties.d/directory.Example properties configuration.cas.authn.pac4j.oidc[0].azure.discovery-uri=https://login.microsoftonline.com/668cd59f-4v15-4ca2-l689-3b4fe3eb6xb6/v2.0/.well-known/openid-configuration cas.authn.pac4j.oidc[0].azure.id=fa96b112-5766-4931-b002-15d40fbd8dcf cas.authn.pac4j.oidc[0].azure.secret=************ cas.authn.pac4j.oidc[0].azure.client-name=azuread cas.authn.pac4j.oidc[0].azure.tenant=companyname.onmicrosoft.com cas.authn.pac4j.oidc[0].azure.enabled=true cas.authn.pac4j.oidc[0].azure.display-name=Company Global Login cas.authn.pac4j.oidc[0].azure.scope=openid,profile,User.Read cas.authn.pac4j.oidc[0].azure.principal-attribute-id=upn cas.authn.pac4j.oidc[0].azure.response-mode=form_post cas.authn.pac4j.oidc[0].azure.response-type=code
-
Then restart CAS service
systemctl restart iam-cas
| Parameter | Value |
|---|---|
|
The discovery endpoint to locate the provide metadata. In the endpoint url, you must replace the |
|
The client id received from Entra ID. |
|
The client secret received from Entra ID. |
|
The name of the client. Can be arbitrary however, it must match with redirect uri registered in the Entra ID. |
|
Entra ID tenant name. Entra ID tenant name can take 4 different values:
|
|
Whether the client/external identity provider should be considered active and enabled for integration purposes. The parameter is an boolean. |
|
Indicate the title or display name of the client for decoration and client presentation purposes. It is displayed in the button label on the login page. If left blank, the client original |
|
Requested scope(s). Scopes are separated by a comma. |
|
The attribute to use as the principal identifier built during and upon a successful authentication attempt. |
|
The response mode specifies how the result of the authorization request is formatted. For backward compatibility the default value is empty, which means the default pac4j (empty) response mode is used. Possible values includes |
|
The response type tells the authorization server which grant to execute. For backward compatibility the default value is empty, which means the default pac4j (code) response type is used. Possibles values includes |