How to configure different external login providers for different tenants? Based on this answer https://github.com/abpframework/abp/discussions/19743, I suppose this is possible somehow but there is no place in the tenant side to configure this. Please provide instructions, how can we configure this.
10 Answer(s)
-
0
Hi, after you have configured external providers for the host side:
Then, you can see the "external provider" tab in the settings -> account section for the tenant (you may need to login as the admin user of the related tenant):
As you can see from the figure above, "amazon" is the tenant name and the "admin" is the username of the tenant admin, and it's possible to configure the client-id and client-secret for the related external provider.
-
You can use the host settings by checking the Use host settings checkbox,
-
Or override the client-id and client-secret per tenant
-
-
0
Thanks for the answer!
We are aiming to enable Microsoft Entra Id SSO login for some of our customers, that use our (Abp) application. How is that going to work when we cannot configure the azure tenant in the tenant's external login provider configuration? If only the client id and the secret are configurable, how can the customer point the configuration to their Microsoft Entra Id? -
0
Thanks for the answer!
We are aiming to enable Microsoft Entra Id SSO login for some of our customers, that use our (Abp) application. How is that going to work when we cannot configure the azure tenant in the tenant's external login provider configuration? If only the client id and the secret are configurable, how can the customer point the configuration to their Microsoft Entra Id?You're right to point out that simply configuring Client ID and Secret might not be enough for Microsoft Entra ID (now known as Microsoft Entra ID, formerly Azure AD) in a multi-tenant scenario. Each customer using their own Microsoft Entra ID will indeed have a unique Tenant ID (also known as Directory ID) that your application needs to target for authentication.
For that purpose, you should implement dynamic configuration using
ICoonfigureOptions<>. Here is what you can do:-
Implement
IConfigureOptions<OpenIdConnectOptions>for Azure AD:
Since Microsoft Entra ID uses the OpenID Connect protocol, you'll need to implement
IConfigureOptions<OpenIdConnectOptions>.public class AzureAdTenantOptionsProvider : IConfigureOptions<OpenIdConnectOptions>, ITransientDependency { private readonly ICurrentTenant _currentTenant; private readonly ITenantAzureAdSettingsService _tenantAzureAdSettingsService; //NOTE: you need to implement this service public AzureAdTenantOptionsProvider(ICurrentTenant currentTenant, ITenantAzureAdSettingsService tenantAzureAdSettingsService) { _currentTenant = currentTenant; _tenantAzureAdSettingsService = tenantAzureAdSettingsService; } public void Configure(OpenIdConnectOptions options) { if (_currentTenant.Id.HasValue) { var tenantId = _currentTenant.Id.Value; var azureAdSettings = _tenantAzureAdSettingsService.GetAzureAdSettings(tenantId); // Implement this if (azureAdSettings != null && azureAdSettings.IsEnabled) { options.ClientId = azureAdSettings.ClientId; options.ClientSecret = azureAdSettings.ClientSecret; options.Authority = $"https://login.microsoftonline.com/{azureAdSettings.TenantId}/v2.0"; options.ResponseType = "code"; // Or your preferred response type options.SaveTokens = true; options.GetClaimsFromUserInfoEndpoint = true; // Add other necessary options as per your requirements } else { // Or configure default behavior } } else { // Configure default Azure AD settings for the host if needed } } }-
Register the option dynamically in your module class (inside
ConfigureServicesmethod):
services.ConfigureOptions<AzureAdTenantOptionsProvider>();Note that, this requires additional implementation on your side and in the above example, I have just tried to provide you an approach. Since this is not fully related to ABP, you may need to check additional articles on the web.
In summary, to enable Microsoft Entra ID SSO login for different tenants:
-
You need to implement a dynamic option as I have described above, then create a service that returns tenantId from each customer for their Azure AD.
-
Our current system, only allows single-tenant configuration for EntraID, but by providing dynamic options, you can implement according to your business.
Regards.
-
-
0
Thanks, we will try to implement this.
How the "AddOpenIdConnect" part should go in this case, where the configuration is defined dynamically? Here is a general example how that normally goes.context.Services.AddAuthentication() .AddOpenIdConnect("ABP2AzureADScheme", "Logon with Azure AD", options => { options.Authority = configuration["AzureAd:Instance"] + configuration["AzureAd:TenantId"] + "/v2.0/"; options.ClientId = configuration["AzureAd:ClientId"]; options.ResponseType = OpenIdConnectResponseType.CodeIdToken; options.CallbackPath = configuration["AzureAd:CallbackPath"]; options.ClientSecret = configuration["AzureAd:ClientSecret"]; options.RequireHttpsMetadata = false; options.SaveTokens = true; options.GetClaimsFromUserInfoEndpoint = true; options.Scope.Add("email"); options.ClaimActions.MapJsonKey(ClaimTypes.NameIdentifier, "sub"); }); -
0
Thanks, we will try to implement this.
How the "AddOpenIdConnect" part should go in this case, where the configuration is defined dynamically? Here is a general example how that normally goes.context.Services.AddAuthentication() .AddOpenIdConnect("ABP2AzureADScheme", "Logon with Azure AD", options => { options.Authority = configuration["AzureAd:Instance"] + configuration["AzureAd:TenantId"] + "/v2.0/"; options.ClientId = configuration["AzureAd:ClientId"]; options.ResponseType = OpenIdConnectResponseType.CodeIdToken; options.CallbackPath = configuration["AzureAd:CallbackPath"]; options.ClientSecret = configuration["AzureAd:ClientSecret"]; options.RequireHttpsMetadata = false; options.SaveTokens = true; options.GetClaimsFromUserInfoEndpoint = true; options.Scope.Add("email"); options.ClaimActions.MapJsonKey(ClaimTypes.NameIdentifier, "sub"); });Hi, actually this part can stay exactly like this. Since you will implement the
IConfigureOptions<>it will update the configuration dynamically. -
0
OK, thanks!
-
0
Hello,
I'm collegue of LW and started to implement this feature. Now I have several problems for which I need your help.
First problem is about AzureEntraIdTenantOptionsProvider. I managed to implement it and when debuging I noticed that it goes to constructor of provider but never goes to Configure method so authserver is not even trying to get dynamic OpenIdConnectOptions from provider and uses what was in appsettings.json.Other problem is when trying to use Azure AD button. I managed to configure Entra Id login settings to our appsetting.json from where AddOpenIdConnect is getting default settings. And it redirects to microsoft site and after awile it goes back to register page as seen below. Is this normal routine when using external identity provider? How can I get Register button enable if it is required to get external login to work.
And last notice is that I only get login to work this much when I se this setting to None. It doesn't feel right thing to do. But is there any other way?
options.MinimumSameSitePolicy = Microsoft.AspNetCore.Http.SameSiteMode.None; -
0
Forget to give you my ConfigureServices code. It is quite same as you suggested and what there was earlier.
context.Services.AddOptions() .ConfigureOptions(); var authenticationBuilder = context.Services.AddAuthentication(); authenticationBuilder.AddOpenIdConnect("AzureOpenId", "Azure AD", options => { options.Authority = "https://login.microsoftonline.com/" + configuration["AzureAd:TenantId"] + "/v2.0/"; options.ClientId = configuration["AzureAd:ClientId"]; options.ResponseType = OpenIdConnectResponseType.CodeIdToken; options.CallbackPath = configuration["AzureAd:CallbackPath"]; options.ClientSecret = configuration["AzureAd:ClientSecret"]; options.RequireHttpsMetadata = false; options.SaveTokens = true; options.GetClaimsFromUserInfoEndpoint = true; options.Scope.Add("email"); options.ClaimActions.MapJsonKey(ClaimTypes.NameIdentifier, "sub"); });And here is out provider. We assumed that currentTenant is set here so our global ef filter should work here and tenantId parameter is added to query automaticly.
public class AzureEntraIdTenantOptionsProvider : IConfigureOptions, ITransientDependency { private readonly IServiceProvider _serviceProvider; public AzureEntraIdTenantOptionsProvider(IServiceProvider serviceProvider) { _serviceProvider = serviceProvider; } public void Configure(OpenIdConnectOptions options) { ISaasTenantIdentityProviderSettingsRepository saasTenantIdentityProviderSettingsService = _serviceProvider.GetRequiredService(); var azureAdSettings = saasTenantIdentityProviderSettingsService.GetIdentityProviderSettings(IdentityProviderType.ENTRA_ID).Result; var deserializedSettings = azureAdSettings?.Setting != null ? JsonConvert.DeserializeObject(azureAdSettings?.Setting) : null; if (azureAdSettings != null && deserializedSettings.IsEnabled) { options.ClientId = deserializedSettings.ClientId; options.ClientSecret = deserializedSettings.ClientSecret; options.Authority = $"https://login.microsoftonline.com/{deserializedSettings.AzureTenantId}/v2.0"; options.ResponseType = OpenIdConnectResponseType.CodeIdToken; options.SaveTokens = true; options.GetClaimsFromUserInfoEndpoint = true; options.CallbackPath = "/signin-azure"; options.RequireHttpsMetadata = false; options.Scope.Add("email"); options.ClaimActions.MapJsonKey(ClaimTypes.NameIdentifier, "sub"); } else { // Or configure default behavior throw new UserFriendlyException("Azure Ad is not configured for you"); } } } -
0
After login url looks like this. I removed some characters from those long values like state. If this helps anything.
https://localhost:44369/Account/Register?isExternalLogin=True&externalLoginAuthSchema=AzureOpenId&returnUrl=%2Fconnect%2Fauthorize%3Fresponse_type%3Dcode%26client_id%3DSCM_App%26state%3DQmRYxUmlDVEhQ;%25252Fdashboard%26redirect_uri%3Dhttp%253A%252F%252Flocalhost%253A4200%252F%26scope%3Dopenid%2520offline_access%2520SCM%26code_challenge%3D4vcFgDJfIZgrYbPec%26code_challenge_method%3DS256%26nonce%3DQmRKTG9UYxUmlDVEhQ%26culture%3Dfi-FI%26ui-culture%3Dfi-FI%26returnUrl%3D%252Fdashboard -
0
After I found correct place to enable self registration I managed to get login working with static appsettings.json settings . So now we need to get dynamic config working.
