Microsoft EntraID + Microsoft Authenticator MFA support

[jordiblasco]

Hello,

We want to integrate Microsoft EntraID with Microsoft Authenticator MFA with Open OnDemand.

Could you validate the suitability of integrating these two components into OOD?

Thank you.

Regards,

Jordi

[johrstrom]

I'm not sure, but it's really a question of how to integrate apache httpd with Microsoft EntraID with Microsoft Authenticator MFA. A quick google search indicates you can work with MS Azure active directory but I can't tell if that's the same thing as EntraID.

[achalker]

Microsoft Azure officially supports Open OnDemand and utilizes EntraID (and I believe has tested their MFA). You can see some more details at openondemand.org/azure I'd also recommend reaching out to the author of that page, Xavier Pillions, who is our main point person at Microsoft Azure.

[jordiblasco]

Thank you for your quick reply and for pointing me in the right direction!

[Sabrina902-prog]

Ok

[xpillons]

@jordiblasco and @achalker sorry, but I miss that one.
Yes EntraID can be configured with OIDC in Open OnDemand.
Below are the settings I'm using to configure it when using the OOD_ANSIBLE project. You may be able to map these to your environment.
This is using a managed identity to map as a federated credential in your Entra Application secrets, then no secret/cert needs to be created and stored, ending into a more secured solution.

---
httpd_auth:
- AuthType openid-connect
- Require valid-user

# Configuration for Entra ID with Federated Identity
# 1 - Create and attach a User Managed Identity for the OOD VM
# 2 - Create a new application in Entra ID
# 3 - Configure the application with the following settings:
#     - Redirect URI: https://{{ ood_fqdn }}/oidc
#     - Check the ID tokens in Implicit grant and hybrid flows
#     - In Token Configuration add an optional claim
#         - Token Type: ID
#         - Check 'upn' in the claim list
#     - Check 'Turn on the Microsoft Graph profile permission (required for claims to appear in token).'
#     - In Certificate & Secrets, add a Federated Credentials using the OOD VM User Managed Identity, leave the default audience to api://AzureADTokenExchange

ood_auth_openidc:
  OIDCProviderMetadataURL: 'https://login.microsoftonline.com/{{tenant_id}}/v2.0/.well-known/openid-configuration'
  OIDCClientID: '{{ client_id }}'
  OIDCResponseType: 'id_token'
  OIDCRemoteUserClaim: 'upn'
  OIDCScope: 'openid profile'
  OIDCCryptoPassphrase: "exec:/bin/bash -c \"head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32\""
  OIDCPassIDTokenAs: 'serialized'
  OIDCPassRefreshToken: 'On'
  OIDCPassClaimsAs: 'environment'
  OIDCStateMaxNumberOfCookies: [7, true]

#oidc_remote_user_claim: "email"
logout_redirect: "/oidc?logout=https%3A%2F%2F{{ ood_fqdn }}"
oidc_uri: /oidc

user_map_match: '^([^@]+)@{{ entra_map_match }}$'