Just to share some info\links that could be useful to others working on implementing Azure AD authentication with SC.
I’m about to push it into production using Apache with its mod_auth_openidc module.
If mod_auth_openidc is available in your Apache setup, I would recommend to use it as it turned out to be easy and convenient:
- No php code needed to interact with Azure - apache will manage the authentication before serving the protected html\php pages
- To make it work, it took me less than 30 minutes to configure the azure AD tenant and apache.
- The login experience is identical to the one you get logging in to any microsoft service on the web (e.g. exchange online)
- If the azure AD accounts are set to use MFA, the SC apps get that added layer of security as well (e.g. push authentication with a tap on smartphones)
- It works also with non enterprise microsoft subscrptions (I'm on Microsoft 365 Business Standard, formerly known as Office 365 Business Premium)
- When end users go to our SC app site, they get redirected by Apache to the microsoft login site (https://login.microsoftonline.com/)
- After they successful login with their Azure AD accounts, Microsoft redirects them back to our SC app site
- Their login name is stored in the $_SERVER["OIDC_CLAIM_upn"] variable that can be accessed in the php code in SC; to change as less SC code as possible, I just set the SC variable I already used to store the logged in user name to be equal to this new variable.
- For the login (starting from step 11, as I had already installed/configured apache and added the mod_auth_openidc module included with Fedora): http://dbaharrison.blogspot.com/2018...ith-azure.html
- To manage the session logout: https://github.com/zmartzone/mod_aut...ion-Management