Skip to main content

Azure Active Directory

Firezone supports Single Sign-On (SSO) using Azure Active Directory through the generic OIDC connector. This guide will walk you through how to obtain the following config settings required for the integration:

  1. discovery_document_uri: The OpenID Connect provider configuration URI which returns a JSON document used to construct subsequent requests to this OIDC provider.
  2. client_id: The client ID of the application.
  3. client_secret: The client secret of the application.
  4. redirect_uri: Instructs OIDC provider where to redirect after authentication. This should be your Firezone EXTERNAL_URL + /auth/oidc/<provider_key>/callback/ (e.g. https://firezone.example.com/auth/oidc/azure/callback/).
  5. response_type: Set to code.
  6. scope: OIDC scopes to obtain from your OIDC provider. This should be set to openid email profile offline_access to provide Firezone with the user's email in the returned claims.
  7. label: The button label text that shows up on your Firezone login screen.

Azure SSO

Obtain Config Settings

This guide is adapted from the Azure Active Directory documentation.

Navigate to the Azure Active Directory page on the Azure portal. Select the App registrations link under the Manage menu, click New Registration, and register after entering the following:

  1. Name: Firezone
  2. Supported account types: (Default Directory only - Single tenant)
  3. Redirect URI: This should be your firezone EXTERNAL_URL + /auth/oidc/azure/callback/ (e.g. https://firezone.example.com/auth/oidc/azure/callback/). Make sure you include the trailing slash. This will be the redirect_uri value.

App Registration

After registering, open the details view of the application and copy the Application (client) ID. This will be the client_id value. Next, open the endpoints menu to retrieve the OpenID Connect metadata document. This will be the discovery_document_uri value.

Azure Client ID

Next, select the Certificates & secrets link under the Manage menu and create a new client secret. Copy the client secret - this will be the client_secret value.

Add a client secret

Lastly, select the API permissions link under the Manage menu, click Add a permission, and select Microsoft Graph. Add email, openid, offline_access and profile to the required permissions.

Permissions

Integrate With Firezone

Edit /etc/firezone/firezone.rb to include the options below.

# Using Azure Active Directory as the SSO identity provider
default['firezone']['authentication']['oidc'] = {
azure: {
discovery_document_uri: "https://login.microsoftonline.com/<TENANT_ID>/v2.0/.well-known/openid-configuration",
client_id: "<CLIENT_ID>",
client_secret: "<CLIENT_SECRET>",
redirect_uri: "https://firezone.example.com/auth/oidc/azure/callback/",
response_type: "code",
scope: "openid email profile offline_access",
label: "Azure"
}
}

Run firezone-ctl reconfigure to update the application. You should now see a Sign in with Azure button at the root Firezone URL.

Restricting Access to Certain Members

Azure AD allows admins to restrict app access to a subset of users within your organization. See Microsoft's documentation for more information on how to do this.