Just to share some info\links that could be useful to others working on implementing Azure AD authentication with SC.
I’m about to push it into production using Apache with its mod_auth_openidc module.
If mod_auth_openidc is available in your Apache setup I would recommend to use it as it turned out to be easy and convenient:
- No php code needed to interact with Azure - apache will manage the authentication before serving the protected html\php pages
- To make it work, it tooke me less than 30 minutes to configure the azure AD tenant and apache.
- The login experience is identical to the one you get loggin in to any microsoft service on the web (e.g. exchange online)
- if the azure AD accounts are set to use MFA, the SC apps get that added layer of security as well (e.g. push authentication with a tap on smartphones)
- it works also with non enterprise microsoft subscrptions (I'm on Microsoft 365 Business Standard, formerly known as Office 365 Business Premium)
- When end users go to our SC app site, they get redirected to the microsoft login site (https://login.microsoftonline.com/)
- After they successful login with their Azure AD accounts, they get redirected back to the SC app site
- Their login name is stored in the $_SERVER["OIDC_CLAIM_upn"] variable that can be accessed in the php code in SC; to change as less SC code as possible, I just set the SC variable I was already using (to store the logged in user name) to be equal to this new variable.
- Note: All redirections are managed by the Apache and Azure configurations, nothing was added\changed in SC
- For the login (starting from step 11, as I had already installed/configured apache and added the mod_auth_openidc module included with Fedora): http://dbaharrison.blogspot.com/2018...ith-azure.html
- To manage the session logout: https://github.com/zmartzone/mod_aut...ion-Management