Auth via AzureAD

Has anyone figured out how to authenticate users with AzureAD?
We want to allow large user groups to view (as in read-only) icingaweb2 and provide them with team dashboards.
For that purpose we want to auth via AzureAD, that should be possible f.ex. with Release release · zmartzone/mod_auth_openidc · GitHub
Anyone figured out how to do that and can provide some examples, ideally with how to map a group so we can use it in icingaweb2.

You could generate a Icingaweb2 user per group and use mod_auth_openidc to figure out to which Icingaweb2 user/dashboard the AzureAD-login belongs and set the user env var so Icingaweb2 will “autlogin” the AzureAD-Account to the “group” Icingaweb2 user.

It will not work for more then one group but maybe you could make users and dashboards for AzureAD-Accounts that belonge to more then one group - combinatoric is exponential tho!

Can’t the normal LDAP/AD auth method of Icingaweb2 connect to AzureAD?
Then you could assign roles based on groups but still the dashboards are a problem.
I will soon have to check out GitHub - Thomas-Gelf/icingaweb2-module-enforceddashboard myself as copy pasting team dashboards is starting to be a pain.

sadly no. azureAD doesn’t priovde “normal” LDAP since that would require certificates etc.
it can do oauth2 and oidc, which i’d like to use but i don’t have any idea how to get to work those with icingaweb2

Then you have no choice and need to do the user auth in the apache module and set the env variable REMOTE_USER - see Authentication - Icinga Web & Advanced Topics - Icinga Web

1 Like