Authentication
Configure encoders
security:
...
password_hashers:
...
Enabel\UserBundle\Entity\User: argon2i
Configure providers
security:
...
providers:
...
enabel_user_provider:
id: enabel_user.provider
Configure firewall
security:
...
firewalls:
...
main:
lazy: true
provider: enabel_user_provider
custom_authenticator:
- enabel_user.local_authenticator
- enabel_user.azure_authenticator
# https://symfony.com/doc/current/security/impersonating_user.html
switch_user: { role: ROLE_ALLOWED_TO_SWITCH }
remember_me:
secret: "%env(APP_SECRET)%"
name: ENABEL_REMEMBER_ME
lifetime: 31536000
path: /
always_remember_me: true
logout:
path: enabel_logout
target: enabel_login
Configure roles
security:
...
role_hierarchy:
...
ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
ROLE_ADMIN: [ROLE_USER]
ROLE_USER: []
Setup access control
security:
...
access_control:
- { path: ^/auth/login, roles: PUBLIC_ACCESS }
- { path: ^/azure/login, roles: PUBLIC_ACCESS }
- { path: ^/azure/check, roles: PUBLIC_ACCESS }
- { path: ^/auth/logout, roles: PUBLIC_ACCESS }
- { path: ^/admin, roles: ROLE_ADMIN }
...
Azure
Client & secret id
You need to request a new clientId and clientSecret for a new application on Azure.
- Go to
Azure portalhttps://portal.azure.com - Go to
Active Directory - Go to
App registrations - Click on
new Registrationand follow the wizard.
(give it a name like 'auth-connector-APP_NAME' and make a decision on the supported accounts, single tenant should be enough but this depends on your organisation) - When created the application is created write down the following details
- 'Application (client) id', this will be your
AZURE_CLIENT_ID - Then we go in the menu to the
API permissionsto view the permissions that are required - You should see that the following delegated permissions are granted:
Microsoft Graph:- User.Read
- Click on the
Grant admin consent for ...Company... - Go in the menu to
Certificates & secrets - Click on
new client secret - Give it a description and expiry date and the value will be your
AZURE_CLIENT_SECRET - Then we go in the menu to the
Manifestto accept the additional information that is returned in the token see the user details section - Change the value of
acceptMappedClaimsfromnulltotrue - Finally, go in the menu to
Authentication - Click on
Add a platform - Choose Web applications
Web - Fill the info & click on
Configure- Redirect URIs:
https://127.0.0.1:8000/azure/check - Front-channel logout URL: leave blank
- Implicit grant and hybrid flows: Select
ID tokens
- Redirect URIs:
- Optionally, you can add more URIs like for testing environments or also localhost by clicking on
Add URI - That's it, include the previous information
AZURE_CLIENT_ID&AZURE_CLIENT_SECRETin your.env.localfile.
Example:
AZURE_CLIENT_ID=19b725a4-1a39-5fa6-bdd0-7fe992bcf33c
AZURE_CLIENT_SECRET=kW74Q~.nWu9HVZ7Rnj.2y][x9.cQTuef:et_
User details from Azure AD
The authenticator needs additional information from Azure AD for the user's profile. Follow these steps to add this information to the authentication token.
- Go to
Azure portalhttps://portal.azure.com - Go to
Active Directory - Go to
App registrations - Retrieve the application registered in the previous step
- In the overview, go to
Managed application in local directory: auth-connector-... -
Go to
Single sign-onand edit/add the Attributes & Claims as follows:Claim name Type Value country JWT user.country displayName JWT user.displayname employeeId JWT user.employeeid jobTitle JWT user.jobtitle language JWT user.preferredlanguage -
That's it, you will now be able to connect with your Azure account.