Azure sso integration

I can see in the configuration that OIDC with azure is there but no example

# # OIDC Authentication
# # Any OpenID Connect provider can be used here.
# default['firezone']['authentication']['oidc'] = {}
# # Example of a Google setup
# # default['firezone']['authentication']['oidc'] = {
# #   google: {
# #     discovery_document_uri: "https://accounts.google.com/.well-known/openid-configuration",
# #     client_id: "CLIENT_ID",
# #     client_secret: "CLIENT_SECRET",
# #     redirect_uri: "https://firezone.example.com/auth/oidc/google/callback",
# #     response_type: "code",
# #     scope: "openid email profile",
# #     label: "Google"
# #   },
# #   okta: {
# #   ...
# #   },
# #   azure: {
# #   ...
# #   }
# # }

I tried with below as per the document for Google in Step 3 “Google | Docs Firezone

default['firezone']['authentication']['azure']['enabled'] = true
default['firezone']['authentication']['azure']['client_id'] = 'xxx'
default['firezone']['authentication']['azure']['client_secret'] = 'xxx'
default['firezone']['authentication']['azure']['redirect_uri'] = 'https://firezone.xxxx.xxx/auth/azure/callback'

But not working

Is azure sso integrated?

I believe you will run into this issue once setup, so wait for the next release before attempting this: Custom OIDC (Azure) leads to phoenix crashing · Issue #642 · firezone/firezone · GitHub

Here is the configuration I have:

default['firezone']['authentication']['oidc'] = {
  azure: {
    discovery_document_uri: "https://login.microsoftonline.com/TENANT ID/v2.0/.well-known/openid-configuration",
    client_id: "CLIENT ID",
    client_secret: "CLIENT SECRET",
    redirect_uri: "https://vpn.yourdomain.com/auth/oidc/azure/callback",
    response_type: "code",
    scope: "openid email profile",
    label: "Azure Active Directory"
  }
}

You would replace:

  • TENANT ID: Your tenant ID
  • CLIEND ID: The application ID
  • CLIENT SECRET: Secret created for the client (
  • vpn.yourdomain.com: The hostname of your VPN server
1 Like

Give it a go. I think there is a small chance that the problem in the linked issue was caused by their cloud provider - alicloud.

If it doesn’t work, then wait for the next release.

Firezone is crashing with below errors

2022-05-31_08:34:22.74056 08:34:22.734 [notice] Application fz_http exited: FzHttp.Application.start(:normal, []) returned an error: shutdown: failed to start child: OpenIDConnect.Worker
2022-05-31_08:34:22.74063 ** (EXIT) an exception was raised:
2022-05-31_08:34:22.74064 ** (MatchError) no match of right hand side value: {:error, :update_documents, %HTTPoison.Error{id: nil, reason: :timeout}}
2022-05-31_08:34:22.74065 (openid_connect 0.2.2) lib/openid_connect/worker.ex:55: OpenIDConnect.Worker.update_documents/2
2022-05-31_08:34:22.74066 (openid_connect 0.2.2) lib/openid_connect/worker.ex:23: anonymous fn/1 in OpenIDConnect.Worker.init/1
2022-05-31_08:34:22.74067 (elixir 1.13.4) lib/enum.ex:1593: Enum."-map/2-lists^map/1-0-"/2
2022-05-31_08:34:22.74068 (elixir 1.13.4) lib/enum.ex:1496: Enum.into/3
2022-05-31_08:34:22.74069 (openid_connect 0.2.2) lib/openid_connect/worker.ex:22: OpenIDConnect.Worker.init/1
2022-05-31_08:34:22.74071 (stdlib 4.0) gen_server.erl:848: :gen_server.init_it/2
2022-05-31_08:34:22.74072 (stdlib 4.0) gen_server.erl:811: :gen_server.init_it/6
2022-05-31_08:34:22.74073 (stdlib 4.0) proc_lib.erl:240: :proc_lib.init_p_do_apply/3
2022-05-31_08:34:24.26114 {“Kernel pid terminated”,application_controller,"{application_start_failure,fz_http,{{shutdown,{failed_to_start_child,‘Elixir.OpenIDConnect.Worker’,{{badmatch,{error,update_documents,#{‘exception’ => true,‘struct’ => ‘Elixir.HTTPoison.Error’,id => nil,reason => timeout}}},[{‘Elixir.OpenIDConnect.Worker’,update_documents,2,[{file,“lib/openid_connect/worker.ex”},{line,55}]},{‘Elixir.OpenIDConnect.Worker’,’-init/1-fun-0-’,1,[{file,“lib/openid_connect/worker.ex”},{line,23}]},{‘Elixir.Enum’,’-map/2-lists^map/1-0-’,2,[{file,“lib/enum.ex”},{line,1593}]},{‘Elixir.Enum’,into,3,[{file,“lib/enum.ex”},{line,1496}]},{‘Elixir.OpenIDConnect.Worker’,init,1,[{file,“lib/openid_connect/worker.ex”},{line,22}]},{gen_server,init_it,2,[{file,“gen_server.erl”},{line,848}]},{gen_server,init_it,6,[{file,“gen_server.erl”},{line,811}]},{proc_lib,init_p_do_apply,3,[{file,“proc_lib.erl”},{line,240}]}]}}},{‘Elixir.FzHttp.Application’,start,[normal,[]]}}}"}
2022-05-31_08:34:24.26172 Kernel pid terminated (application_controller) ({application_start_failure,fz_http,{{shutdown,{failed_to_start_child,‘Elixir.OpenIDConnect.Worker’,{{badmatch,{error,update_documents,#{‘exception’ => true,‘struct’ => ‘Elixir.HTTPoison.Error’,id => nil,reason => timeout}}},[{‘Elixir.OpenIDConnect.Worker’,update_documents,2,[{file,“lib/openid_connect/worker.ex”},{line,55}]},{‘Elixir.OpenIDConnect.Worker’,’-init/1-fun-0-’,1,[{file,“lib/openid_connect/worker.ex”},{line,23}]},{‘Elixir.Enum’,’-map/2-lists^map/1-0-’,2,[{file,“lib/enum.ex”},{line,1593}]},{‘Elixir.Enum’,into,3,[{file,“lib/enum.ex”},{line,1496}]},{‘Elixir.OpenIDConnect.Worker’,init,1,[{file,“lib/openid_connect/worker.ex”},{line,22}]},{gen_server,init_it,2,[{file,“gen_server.erl”},{line,848}]},{gen_server,init_it,6,[{file,“gen_server.erl”},{line,811}]},{proc_lib,init_p_do_apply,3,[{file,“proc_lib.erl”},{line,240}]}]}}},{‘Elixir.FzHttp.Application’,start,[normal,[]]}}})
2022-05-31_08:34:24.26259
2022-05-31_08:34:24.26266 Crash dump is being written to: erl_crash.dump…done

and on the browser I get “Internal Server Error”

For what it’s worth, I get the same crash as noted by @remy when setup to my AAD instance; it doesn’t seem to be related to a specific cloud provider.

@remy Are you on CentOS as well? OpenSSL on CentOS 8 (and derivatives) seems to have an issue with TLS 1.3 and Azure, causing timeouts. We’ve merged a fix to force TLS 1.2 which will be available in the next release.

@jamil if it helps, I am on Ubuntu 20.04; same crash. Happy to test on other OS’s if you want.

Package: OpenSSL 1.1.1f-1ubuntu2.13
openssl version: OpenSSL 1.1.1f 31 Mar 2020

@jamil , its Oracle Linux 8.6
openssl-1.1.1k-6.el8_5.x86_64

FYI Custom OIDC (Azure) leads to phoenix crashing · Issue #642 · firezone/firezone · GitHub

This should be fixed in 0.3.16. Do let us know if you continue to experience issues!

I upgraded and confirmed its working fine for me, thank you!

@jamil , upgraded, no more crash. Thanks.

@gbe0 I get the below error

==> /var/log/firezone/phoenix/current <==
2022-06-01_05:45:33.47896 05:45:33.478 request_id=FvRo7b9W8iBegY4AAAKR [info] GET /auth/oidc/azure/callback/

==> /var/log/firezone/nginx/access.log <==
109.177.220.46 - - [2022-06-01T05:45:33+00:00] “GET /auth/oidc/azure/callback/?code=0.AS8ATYq7ext_WEqbOsJQ-4Aj43wQBsxl8xNFmphMk-ph_x8vAHc.AgABAAIAAAD–DLA3VO7QrddgJg7WevrAgDs_wQA9P9Ma-BJdyEC4uVl5oOP5bZyw7LN3g_koIKIzokUrdFc8__PKydh2Y5iyhPfhlugRWXUG_Bi-etS38MofLgDUJVMeJ7l4DXqIkXwuJO6ns0zUUXgtLstrmQMuXYZbjNAcJbAAZEb1taDjLO9GA_8kvk41H4v4F3SBCNbBu_clEBK5CrA9pp8jjuLjVaw4jNTfHypnjIcF9Lde8JVpWcLJMHxwCq77uBro6DWCswuyUJ3EjxGisyRRYEjk_PIIRo_FIEbvCC1t65vNQroK3-jMPDbpifZf9ib65z7KX7aUuV5wdSsoiy-KQt-S5cVVrcNIPxvhEfeDCM6Hy3ka_R12RYTJd8o8wXxEBEs3E-xFLPggCC81P0NWpVh9e7pfKmDwFPuJkiUeJp1u10glOhFcKE_OniMMpiXgxbKf6qkEkrOyZisST6_U7aA3Yx8Vd2aJA6y5ulfWBbgh2YAobqgbGZZZTutNfwq6GmXTXPaE2vUeY43fHDx0w8JxQiO15jSVJqaLvvgwZbSZ31pr_lAYlzn72ttinTRF8KpKqQGg_OsmHUWkmDkeX8aoELFs0yTZyamAI2t4k3aAhAw-kvj0VqOUE7q0pjH2r5f6-LWprNtSkHFWB54GB7iBdCg5CD5uAmVm6IZgQg8KmXBMg87GzRZ_Cpm5l2JaGIfryu3pZAMr52y_ujqYv0KFOFwOG_JJLh4hcxClgRmR9QRUIAW0YlQQdYe9A&state=uBc3d_fGQMqm1AlW&session_state=7a9435f5-d854-4016-adf8-aeb02f2f2594 HTTP/1.1” 401 1743 “0.251” 0 “https://xxxx.xxx.ae/” “Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0”

Here is my configuration.

In Azure AD admin center → App registrations, select the application and go to overview. You need these:

From the authentication area for the registered app, make sure the redirect URI is configured correctly:

From the client certificates and secrets area, create the client secret. You will need to use this in firezone.rb (client_secret):

In firezone.rb config file:

default['firezone']['authentication']['oidc'] = {
  azure: {
    discovery_document_uri: "https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-fabd03afb3cd/v2.0/.well-known/openid-configuration",
    client_id: "xxxxxxxx-xxxx-xxxx-xxxx-9325786786e8",
    client_secret: "-Y3xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
    redirect_uri: "https://vpn.example.com/auth/oidc/azure/callback/",
    response_type: "code",
    scope: "openid email profile",
    label: "Azure Active Directory"
  }
}

Replace the relevant ID’s/secrets.

Make sure that the URL’s/URI’s exactly match (eg. with “/”'s).

@gbe0 , thanks for the detail instruction, I do have the same configuration as you instructed but not working for me.
1)

default['firezone']['authentication']['oidc'] = {
  azure: {
    discovery_document_uri: "https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-c250fb8023e3/v2.0/.well-known/openid-configuration",
    client_id: "xxxxxxxx-xxxx-xxxx-xxxx-4c93ea61ff1f",
    client_secret: "xxxxxxxx-xxxx-xxxx-xxxx-e04bb7c7322a",
    redirect_uri: "https://vpn.example.com/auth/oidc/azure/callback/",
    response_type: "code",
    scope: "openid email profile",
    label: "Azure Active Directory"
  }
}

In case someone else runs into this problem, it seems to be something permission related in AAD. As a test I worked with @remy to add a test application in my tenant and it worked; hopefully we can find the exact cause of the problem.

@gbe0 , may thanks to you as you saved my day.

All - its my bad, I use client_secret as ID instead of value

1 Like

Thanks for all the support @gbe0 !