Azure AD Authentication for RT

carlosmoreira-cet · March 15, 2021, 1:10pm

RT version 5.0.1, CentOS 7.9, MariaDB, Apache, FastCGI

Hello,

I would like to leverage Microsoft Azure AD for external authentication against RT. Has someone successfully accomplished this? I’ve reviewed the following, but I keep coming up short:

Thank you,
Carlos

knation · March 15, 2021, 1:23pm

You can use LDAP for AD integration:

https://docs.bestpractical.com/rt/5.0.0/RT/Authen/ExternalAuth/LDAP.html

carlosmoreira-cet · March 15, 2021, 5:36pm

Thank you for the suggestion, however, I’m looking for something less restrictive and would allow any Microsoft Azure AD (AAD) user to authenticate against our RT instance. In our particular case, we cannot use LDAP since those variables are not exposed via AAD.

knation · March 15, 2021, 5:46pm

I believe RT can be configured to just have the least restrictive LDAP filter, so that any user within your AD organization can authenticate.

In our particular case, we cannot use LDAP since those variables are not exposed via AAD.

Which variables are not exposed? So long as you can authenticate to LDAP you should be good!

carlosmoreira-cet · March 15, 2021, 6:07pm

I may be missing something, but I am referring to Microsoft Azure AD not Active Directory (LDAP) in the traditional sense. My users do not authenticate to a “local” Forest/Domain. Their identity lives in the Azure cloud.

If there is a way to connect to Microsoft Azure AD via LDAP, I would be interested in learning how. Thank you.

knation · March 15, 2021, 6:16pm

It seems you’re right, it isn’t enabled by default but is possible:

Q: Can I set up a secure LDAP connection with Azure AD?

A: No. Azure AD does not support the Lightweight Directory Access Protocol (LDAP) protocol or Secure LDAP directly. However, it’s possible to enable Azure AD Domain Services (Azure AD DS) instance on your Azure AD tenant with properly configured network security groups through Azure Networking to achieve LDAP connectivity. For more information, see Configure secure LDAP for an Azure Active Directory Domain Services managed domain

carlosmoreira-cet · March 15, 2021, 7:14pm

Azure AD Domain Services is essentially a managed Active Directory provided by Microsoft. There is a significant uplift in cost to leverage it and overkill for my use case. What I’m trying to do should be relatively straightforward, and I was just hoping someone had done it already.

Thank you!

knation · March 16, 2021, 7:34pm

Could you use OAuth2 extension perhaps?

carlosmoreira-cet · March 17, 2021, 11:33am

Thank you for the suggestion! I will dig into this and let everyone know how I make out.