aad-sso-wordpress icon indicating copy to clipboard operation
aad-sso-wordpress copied to clipboard
verified publisher icon psignoret

Please add steps for granting Azure permissions on behalf of users

Open richthomsen opened this issue 10 years ago • 2 comments

When every user first logs into the Wordpress site via SSO, Azure requests permissions for the app: "[App Name] needs permission to: Sign you in and read your profile You're signed in as: [User Name]" It's not clear how to grant permission on behalf of our organization's users. If you have worked through this already, it would be an excellent addition to your setup instructions. After granting permission individually, SSO works great!

richthomsen avatar Aug 26 '15 21:08 richthomsen

I figured this out after some calls with Microsoft and working with one of our Azure Global Admins:

After SSO is setup, the application needs to be ‘trusted’ by an Azure AD Global Admin, if all internal users will use the application as an authenticated user. Otherwise, each of your users will need to choose to trust the application on first use. The Global Admin can setup trust on behalf of all users by executing a special URL for your application:

Sample URL https://login.windows.net/common/oauth2/authorize?response_type=code&resource=https%3A%2F%2Fgraph.windows.net&client_id=########-####-####-####-############&prompt=admin_consent&redirect_uri=https%3A%2F%2F[WWW.YOURDOMAIN.COM]%2Fwp-login.php

Sample URL deconstructed: https://login.windows.net/common/oauth2/authorize?response_type=code&resource=https%3A%2F%2Fgraph.windows.net& This part logs into Azure and sets the stage for asking for access to graph.windows.net (AKA Graph API/Azure AD)

client_id=########-####-####-####-############& This part is the client ID setup in the Azure Active Directory ‘Applications’ configuration, unique to each app we register to Azure AD.

prompt=admin_consent& This part prompts the Azure AD Admin to grant, on behalf of all users, permission to read the user profile from Azure AD

redirect_uri=https%3A%2F%2F[WWW.YOURDOMAIN.COM]%2Fwp-login.php This is the URI to which Azure AD will redirect the user-agent in response to an OAuth 2.0 request.

richthomsen avatar Feb 22 '16 16:02 richthomsen

I'm actually going to re-open the issue as a bug, since we really do need to provide better guidance on the option to provide admin consent to the app. Thanks for bringing it up!

psignoret avatar Feb 22 '16 19:02 psignoret