Azure AD Authentication for RT

RT version 5.0.1, CentOS 7.9, MariaDB, Apache, FastCGI

Hello,

I would like to leverage Microsoft Azure AD for external authentication against RT. Has someone successfully accomplished this? I’ve reviewed the following, but I keep coming up short:

Thank you,
Carlos

You can use LDAP for AD integration:

https://docs.bestpractical.com/rt/5.0.0/RT/Authen/ExternalAuth/LDAP.html

Thank you for the suggestion, however, I’m looking for something less restrictive and would allow any Microsoft Azure AD (AAD) user to authenticate against our RT instance. In our particular case, we cannot use LDAP since those variables are not exposed via AAD.

I believe RT can be configured to just have the least restrictive LDAP filter, so that any user within your AD organization can authenticate.

In our particular case, we cannot use LDAP since those variables are not exposed via AAD.

Which variables are not exposed? So long as you can authenticate to LDAP you should be good!

I may be missing something, but I am referring to Microsoft Azure AD not Active Directory (LDAP) in the traditional sense. My users do not authenticate to a “local” Forest/Domain. Their identity lives in the Azure cloud.

If there is a way to connect to Microsoft Azure AD via LDAP, I would be interested in learning how. Thank you.

It seems you’re right, it isn’t enabled by default but is possible:

Q: Can I set up a secure LDAP connection with Azure AD?

A: No. Azure AD does not support the Lightweight Directory Access Protocol (LDAP) protocol or Secure LDAP directly. However, it’s possible to enable Azure AD Domain Services (Azure AD DS) instance on your Azure AD tenant with properly configured network security groups through Azure Networking to achieve LDAP connectivity. For more information, see Configure secure LDAP for an Azure Active Directory Domain Services managed domain

Azure AD Domain Services is essentially a managed Active Directory provided by Microsoft. There is a significant uplift in cost to leverage it and overkill for my use case. What I’m trying to do should be relatively straightforward, and I was just hoping someone had done it already.

Thank you!

Could you use OAuth2 extension perhaps?

1 Like

Thank you for the suggestion! I will dig into this and let everyone know how I make out.