Reputation: 41
Azure AD "groups" claim not being passed to mod_auth_openidc
I created an Azure AD account to test SSO. I was able to get Apache to authenticate a site using SSO and pass the authenticated user's email address as a header. I'm having trouble getting the "groups" claim to be passed through.
My Apache config looks as follows:
LoadModule auth_openidc_module /usr/lib64/httpd/modules/mod_auth_openidc.so
<IfModule mod_auth_openidc.c>
OIDCProviderMetadataURL https://sts.windows.net/<removed>/.well-known/openid-configuration
OIDCClientID <removed>
OIDCClientSecret <removed>
OIDCRedirectURI https://<removed>/redirect_uri
OIDCResponseType code
OIDCScope "openid email profile groups family_name given_name"
OIDCSSLValidateServer Off
OIDCCryptoPassphrase <removed>
OIDCPassClaimsAs headers
OIDCClaimPrefix USERINFO_
OIDCRemoteUserClaim email
OIDCPassUserInfoAs claims
OIDCAuthNHeader USER
OIDCPassIDTokenAs claims
OIDCPassRefreshToken On
</IfModule>
My Optional claims in Azure AD looks like this:
Additionally I created a group in AD called "Users" and added myself to that group. So I would expect to see "Users" passed as some sort of attribute in the headers.
If I print the HTTP headers on the server I see this...
CONTEXT_DOCUMENT_ROOT: /var/httpd/cgi-bin/
CONTEXT_PREFIX: /cgi-bin/
DOCUMENT_ROOT: /var/SP/httpd/htdocs/docs
GATEWAY_INTERFACE: CGI/1.1
HTTP_ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
HTTP_ACCEPT_ENCODING: gzip, deflate, br
HTTP_ACCEPT_LANGUAGE: en-GB,en-US;q=0.9,en;q=0.8
HTTP_CACHE_CONTROL: max-age=0
HTTP_COOKIE: _ga=GA1.2.601634409.1596125029; mod_auth_openidc_session=c186c9d6-eebe-11ea-8429-7982f43b32a7
HTTP_HOST: <removed>
HTTP_SEC_FETCH_DEST: document
HTTP_SEC_FETCH_MODE: navigate
HTTP_SEC_FETCH_SITE: none
HTTP_SEC_FETCH_USER: ?1
HTTP_UPGRADE_INSECURE_REQUESTS: 1
HTTP_USER: <removed>
HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36
HTTP_X_AMZN_TRACE_ID: Root=1-5f52559a-6b8b464ec338a6097565fce0
HTTP_X_FORWARDED_FOR: <removed>
HTTP_X_FORWARDED_PORT: 443
HTTP_X_FORWARDED_PROTO: https
LD_LIBRARY_PATH: /opt/apache-2.4/lib64
PATH: /sbin:/usr/sbin:/bin:/usr/bin
QUERY_STRING:
REMOTE_ADDR: <removed>
REMOTE_PORT: 45364
REMOTE_USER: <removed>
REQUEST_METHOD: GET
REQUEST_SCHEME: http
REQUEST_URI: /cgi-bin/headers.cgi
SCRIPT_FILENAME: /var/httpd/cgi-bin/headers.cgi
SCRIPT_NAME: /cgi-bin/headers.cgi
SCRIPT_URI: http://<removed>/cgi-bin/headers.cgi
SCRIPT_URL: /cgi-bin/headers.cgi
SERVER_ADDR: <removed>
SERVER_ADMIN: <removed>
SERVER_NAME: <removed>
SERVER_PORT: 80
SERVER_PROTOCOL: HTTP/1.1
SERVER_SIGNATURE:
SERVER_SOFTWARE: Apache/2.4.46 (Unix) OpenSSL/1.1.1c
X_REMOTE_USER: <removed>
The REMOTE_USER, X_REMOTE_USER and HTTP_USER all show the correct authenticated user email.
I don't see anything related to "groups", "USERINFO_", "family_name", "given_name". Not even blank placeholders.
I'm a bit stuck as the Apache config looks okay as far as I can tell and from what I have read the Azure configuration is okay as well.
Any ideas why the claims are not being passed through?
Upvotes: 0
Views: 1164
Answers (1)
Reputation: 41
I changed:
OIDCPassClaimsAs headers
to:
OIDCPassClaimsAs both
... and it worked!
Upvotes: 0
Related Questions
- How to configure Azure AD Oauth2 to return all user groups on login
- Azure AD does not emit group claims
- Unable to get Azure AD Groups to appear in user claims
- Azure group claim returns Object ID - Need group name
- After user authentication from Azure AD, all claims(group details) are not coming, happening for some users
- Azure AD does not return groups on claims
- Azure OAuth2 Code Flow - no groups claim in access token (and no "hasgroups" either)
- Azure ad group membership claims
- Apache with mod_auth_openidc and Azure AD is not working
- Azure AD OpenID connection - groups not shown in token