Links
Demo
- Movie: Grouper provisioning framework Azure demo (v2.6.15): https://youtu.be/abTkJVBMr1M
Config (grouper-loader.properties from version 2.6.15). Note, you should configure this in the provisioning configuration wizard.
External system
grouper-loader.properties for local testing
grouper.azureConnector.myAzure.clientId = 51e6dc4f-a85d-41c7-9569-8ac1b3159801 grouper.azureConnector.myAzure.clientSecret = ******* grouper.azureConnector.myAzure.graphEndpoint = https://graph.microsoft.com grouper.azureConnector.myAzure.graphVersion = beta grouper.azureConnector.myAzure.groupLookupAttribute = displayName grouper.azureConnector.myAzure.groupLookupValueFormat = ${group.getName()} grouper.azureConnector.myAzure.loginEndpoint = https://login.microsoftonline.com/ grouper.azureConnector.myAzure.resource = https://graph.microsoft.com grouper.azureConnector.myAzure.resourceEndpoint = https://graph.microsoft.com/beta/ grouper.azureConnector.myAzure.tenantId = 455754be-3a2b-40c9-acef-c425a92d7276
Provisioning fields and attributes
Item | Type | Description |
---|---|---|
id | field | uuid from Azure |
displayName | field | group name in Azure |
Azure group types
Configure group owners in Azure
provisioner.myAzureProvisioner.groupOwnersManage = true provisioner.myAzureProvisioner.targetGroupAttribute.5.multiValued = true provisioner.myAzureProvisioner.targetGroupAttribute.5.name = groupOwners provisioner.myAzureProvisioner.targetGroupAttribute.5.showAdvancedAttribute = true provisioner.myAzureProvisioner.targetGroupAttribute.5.showAttributeValueSettings = true provisioner.myAzureProvisioner.targetGroupAttribute.5.translateExpression = ${provisioningGroupWrapper.thisGroupPrivilegeHolders('admins', 'entityAttributeValueCache2')} provisioner.myAzureProvisioner.targetGroupAttribute.5.translateExpressionType = translationScript provisioner.myAzureProvisioner.entityAttributeValueCache2entityAttribute = id provisioner.myAzureProvisioner.entityAttributeValueCache2has = true provisioner.myAzureProvisioner.entityAttributeValueCache2source = target provisioner.myAzureProvisioner.entityAttributeValueCache2type = entityAttribute provisioner.myAzureProvisioner.entityAttributeValueCacheHas = true
Grouper development team testing
Set this in grouper.hibernate.properties (or set env var: GROUPER_MOCK_SERVICES=true)
grouper.is.mockServices = true
test config
grouper.azureConnector.azureTest.clientId = fd805xxxxdfb grouper.azureConnector.azureTest.clientSecret = ******* grouper.azureConnector.azureTest.graphEndpoint = https://graph.microsoft.com grouper.azureConnector.azureTest.graphVersion = v1.0 grouper.azureConnector.azureTest.loginEndpoint = http://localhost:8400/grouper/mockServices/azure/auth/ grouper.azureConnector.azureTest.resource = https://graph.microsoft.com grouper.azureConnector.azureTest.resourceEndpoint = http://localhost:8400/grouper/mockServices/azure/ grouper.azureConnector.azureTest.tenantId = 6c4dxxx0d
Set up Azure
- Sign up with Azure
- On the left menu, go to Azure Active Directory
- Create a new app registration
- Select: Who can use this app: Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)
- After the app is registered, click on API Permissions and give Microsoft graph access
- Give full permissions for Directory, Group, User, and GroupMember
- Grant admin consent for default directory
- Check https://jwt.ms with the token, should see
- Permissions look like this. Note you can clamp down these permissions as needed
- From basic testing, if using read-only entities, the following Admin consent permissions seems to work (should not need any User consent grants):
- For even tight permissions, see below for setting the Grouper service account as the owner for new groups
- On the left, under Certificates and Secrets, create a new secret
- When testing using Postman, you will only need the secret value to get access token which will be used to call the graph API
- To get an access token, make a POST call to https://login.microsoftonline.com/a98c57b9-a771-4c01-b69b-83cceb36c834/oauth2/v2.0/token (id is the directory tenant id)
- Under form data send these four key values. client_id = clientId, scope = https://graph.microsoft.com/.default, client_secret = clientSecret, grant_type=client_credentials
- Content-type: application/x-www-form-urlencoded
Post body looks like this:
client_id=aea2eb2a-bc4f-4ae5-a315-3XXXXX&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default&grant_type=client_credentials&client_secret=ewC8Q~yGN4dyBaSYBrOXXXXXXXXXX
Configure external system in grouper-loader.properties
grouper.azureConnector.azure.clientId = aea2eb2a-bc4f-4ae5-a315-38XXXXX grouper.azureConnector.azure.clientSecret = ewC8Q~yXXXXX grouper.azureConnector.azure.graphEndpoint = https://graph.microsoft.com grouper.azureConnector.azure.graphVersion = beta grouper.azureConnector.azure.loginEndpoint = https://login.microsoftonline.com/ grouper.azureConnector.azure.resource = https://graph.microsoft.com grouper.azureConnector.azure.resourceEndpoint = https://graph.microsoft.com/beta/ grouper.azureConnector.azure.tenantId = 5e7fa4df-8d24XXXXXXX
- The client id is the Application (client) ID next to Directory tenant id on the Overview page of the app.
- The response from the above POST call will give you an access token in the body which we will use to access graph APIs like https://graph.microsoft.com/v1.0/groups
- For the above request, send Authorization header with value Bearer <access token>
Add Microsoft certificate for graph apis
- Go to https://graph.microsoft.com/applications in your browser and download the certificate by clicking on the padlock sign in the address bar.
- Find out the path to the security directory inside the jre. e.g. /Library/Java/JavaVirtualMachines/jdk1.8.0_65.jdk/Contents/Home/jre/lib/security
From the terminal run "sudo keytool -import -alias microsoft.graph -keystore cacerts -file ~/graph.microsoft.com.cer
- For the password enter: changeit
Setting the Grouper service account as the owner of new groups (to reduce Azure privileges) v4.2.0+
If the service account Grouper uses for Graph API calls can be set as the owner of a managed group, the Azure application no longer needs the privileges to update all groups and memberships. It only needs the Group.Create privilege to create a new group, Group.Read.All to find groups to match with Grouper, and User.Read.All to resolve target entities. While there is an option in the Azure provisioner to set the groupOwner attribute with one or more entities, the ability to add non-users (i.e. service accounts) is only available v4.2.0.
The "groupOwners" attribute is normally expected to be a Grouper subject ID or identifier used for search/match to resolve to an Azure object URL. But this lookup always uses the /users api endpoint, which means the service account can't be added this way. Since v4.2.0, an already-resolved URL can be entered in this field, and this URL can be either for a user or a service account. There are two ways to specify the account.
1) https://graph.microsoft.com/v1.0/servicePrincipals/{id}
2) https://graph.microsoft.com/v1.0/servicePrincipals(appId='{appId}')
where {id} is the "Object ID" for the object in the Enterprise Applications page (it's not the App registrations page, but you can get to it from there by clicking "Managed application in local directory"). The {appId} is the application ID, also called the client ID, and is easier to find, being on the Enterprise applications page, the App registrations page, and various other pages when you look at the service account details. The appId is also the "Client ID" value in the external system configuration for Azure.