search

gristlabs / grist-core

Grist is the evolution of spreadsheets.
https://www.getgrist.com/
Apache License 2.0
6.97k stars 307 forks source link

Compability with SAML using AzureAD as IDP #621

Open lohrm-stabl opened 1 year ago

lohrm-stabl commented 1 year ago

Currently, Grist cannot be used with AzureAD.

The error one gets with GRIST_SAML_SP_HOST = https://grist.mydomain is:

Sorry, but we’re having trouble signing you in.
AADSTS700016: Application with identifier 'https://grist.mydomain/saml/metadata.xml' was not found in the directory 'My Directory'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.

The issue probably originates from this line: https://github.com/gristlabs/grist-core/blob/main/app/server/lib/SamlConfig.ts#L85 The GRIST_SAML_SP_HOST is used as part of the entity_id. This should be a separate variable so one can set it to the actual client id.

paulfitz commented 1 year ago

Hi @lohrm-stabl, that makes sense. There may be a workaround here https://community.getgrist.com/t/azure-ad-saml-sso-and-grist/1269/3

A pull request to allow the entity_id to be overridden would be very welcome :pray:

lohrm-stabl commented 1 year ago

Hi @lohrm-stabl, that makes sense. There may be a workaround here community.getgrist.com/t/azure-ad-saml-sso-and-grist/1269/3

I have found this as well. At first, I didn't get it working because I Azure AD wouldn't let me customize the entity_id. But by recreating the application, I got it working.

Step-by-step guide:

  1. Create a new enterprise application
  2. Go to the "Single Sign-on" tab and select "SAML" image
  3. Edit the "Basic SAML Configuration", set the values to: (assuming your Grist instance is hosted on grist.test.xyz)
    1. Identifier: https://grist.test.xyz/saml/metadata.xml
    2. Reply URL: https://grist.test.xyz/saml/assert
    3. Sign on URL: https://grist.test.xyz/saml/login
  4. Edit claims, add the following claims (not entirely sure if necessary):
    1. Name: FirstName, Source attribute: user.givenname
    2. Name: LastName, Source: user.surname
    3. Name: name_id, Source: user.userprincipalname
  5. Set the following environment variables to for your grist instance to values found on the Single Sign-On tab:
    1. GRIST_SAML_IDP_LOGIN: set to the Login URL provided by Azure
    2. GRIST_SAML_IDP_LOGOUT: set to the Logout URL provided by Azure
    3. GRIST_SAML_SP_HOST: https://grist.test.xyz
    4. GRIST_SAML_IDP_CERTS: download from SAML Certificates > Certificate (Base64), upload to your server and put file path here
    5. GRIST_SAML_SP_CERT: will be set later
    6. GRIST_SAML_SP_KEY: will be set later
    7. GRIST_SAML_IDP_UNENCRYPTED: set to 1
  6. Setup client secret
    1. Go to App registrations in your Azure AD, search for your application and go to "Certificates & secrets"
    2. Generate a new certificate
      1. openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 (adjust days as needed)
      2. openssl pkcs12 -export -out certificate.pfx -inkey key.pem -in cert.pem
    3. Upload the certificate (to Azure AD)
  7. Also upload the private and public part to your server
  8. Set GRIST_SAML_SP_CERT and GRIST_SAML_SP_KEY to the public and private certificate key files you just generated