Merge pull request #157 from DecisionsDev/azuread-review

Azuread review

Author: mmouly

authentication/AzureAD/README.md

@@ -159,7 +159,16 @@ After activating your account by email, you should have access to your Aure AD i
 
     ![New Web Application](/images/AzureAD/RegisterApp.png)
 
-2. Generate an OpenID client secret.
+2. Retrieve Tenant and Client information.
+
+    In **Azure Active Directory** / **App Registration**, select **ODM Application** and click **Overview**:
+
+    * Application (client) ID: **Client ID**. It will be referenced as `CLIENT_ID` in the next steps.
+    * Directory (tenant) ID: **Your Tenant ID**. It will be referenced as `TENANT_ID` in the next steps.
+
+    ![Tenant ID](/images/AzureAD/GetTenantID.png)
+
+3. Generate an OpenID client secret.
 
     In **Azure Active Directory** / **App registrations**, select **ODM Application**:
 
@@ -172,7 +181,7 @@ After activating your account by email, you should have access to your Aure AD i
 
    >Important: This client secret can not be revealed later. If you forgot to take note of it, you'll have to create another one.
 
-3. Add Claims.
+4. Add Claims.
 
     In **Azure Active Directory** / **App registrations**, select **ODM Application**, and in **Manage / Token Configuration**:
 
@@ -197,37 +206,45 @@ After activating your account by email, you should have access to your Aure AD i
     * Check Security Groups
     * Click Add
 
-4. API Permissions.
+5. Create a custom claim named "identity"
+
+   To allow ODM rest-api to use the password flow with email as user identifier and the client-credentials flow with client_id as user identifier, we need to create a new claim named "identity" that will take the relevant value according to the flow:
+
+   In **Azure Active Directory** / **Enterprise applications**, select **ODM Application**, and in **Manage / Single sign-on**:
+
+  * Click on Edit of the "Attributes & Claims" section
+    * Click + Add new claim
+      * Name: identity
+      * Fill 2 Claim conditions in the exact following order:
+        1. User Type: Any / Scope Groups: 0 / Source: Attribute / Value: <CLIENT_ID>
+        2. User Type: Members / Scope Groups: 0 / Source: Attribute / Value: user.mail
+ 
+6. API Permissions.
 
     In **Azure Active Directory** / **App Registration**, select **ODM Application**, and then click **API Permissions**.
 
     * Click Grant Admin Consent for Default Directory
 
-5. Manifest change.
+7. Manifest change.
 
     In **Azure Active Directory** / **App Registration**, select **ODM Application**, and then click **Manifest**.
 
-    As explained in [accessTokenAcceptedVersion attribute explanation](https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-app-manifest#accesstokenacceptedversion-attribute), change the value to 2 and then click Save.
+    As explained in [accessTokenAcceptedVersion attribute explanation](https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-app-manifest#accesstokenacceptedversion-attribute), change the value to 2.
 
     ODM OpenID Liberty configuration needs version 2.0 for the issuerIdentifier. See the [openIdWebSecurity.xml](templates/openIdWebSecurity.xml) file.
 
-6. Retrieve Tenant and Client information.
-
-    In **Azure Active Directory** / **App Registration**, select **ODM Application** and click **Overview**:
-
-    * Application (client) ID: **Client ID**. It will be referenced as `CLIENT_ID` in the next steps.
-    * Directory (tenant) ID: **Your Tenant ID**. It will be referenced as `TENANT_ID` in the next steps.
-
-    ![Tenant ID](/images/AzureAD/GetTenantID.png)
+    It is also necessary to set **acceptMappedClaims** to true to manage claims. Without this setting, you get the exception **AADSTS50146: This application is required to be configured with an application-specific signing key. It is either not configured with one, or the key has expired or is not yet valid.** when requesting a token.
 
-7. Check the configuration.
+   Then, click Save.
+   
+8. Check the configuration.
 
     Download the [azuread-odm-script.zip](azuread-odm-script.zip) file to your machine and unzip it in your working directory. This .zip file contains scripts and templates to verify and set up ODM.
 
-    7.1 Verify the Client Credential Token
+    8.1 Verify the Client Credential Token
 
     You can request an access token using the Client-Credentials flow to verify the token format.
-    This token is used for the deployment between Decision Cennter and the Decision Server console:
+    This token is used for the deployment between Decision Center and the Decision Server console:
 
     ```shell
     $ ./get-client-credential-token.sh -i <CLIENT_ID> -x <CLIENT_SECRET> -n <TENANT_ID>
@@ -253,6 +270,7 @@ After activating your account by email, you should have access to your Aure AD i
     ```json
     {
       "aud": "<CLIENT_ID>",
+      "identity": "<CLIENT_ID>",
       ...
       "iss": "https://login.microsoftonline.com/<TENANT_ID>/v2.0",
       ...
@@ -264,7 +282,7 @@ After activating your account by email, you should have access to your Aure AD i
     - *aud*: should be your CLIENT_ID
     - *iss*: should end with 2.0. otherwise you should verify the previous step **Manifest change**
 
-    7.2 Verify the Client Password Token.
+    8.2 Verify the Client Password Token.
 
    To check that it has been correctly taken into account, you can request an ID token using the Client password flow.
 
@@ -289,6 +307,7 @@ After activating your account by email, you should have access to your Aure AD i
       "iss": "https://login.microsoftonline.com/<TENANT_ID>/v2.0",
       ...
       "email": "<USERNAME>",
+      "identity": "<USERNAME>",
       "groups": [
         "<GROUP>"
       ],
@@ -565,7 +584,7 @@ Get hands-on experience with IBM Operational Decision Manager in a container env
 
 To manage ODM runtime call on the next steps, we used the [Loan Validation Decision Service project](https://github.com/DecisionsDev/odm-for-container-getting-started/blob/master/Loan%20Validation%20Service.zip)
 
-Import the **Loan Validation Service** in Decision Center connected as John Doe
+Import the **Loan Validation Service** in Decision Center connected using *myodmuser*@YOURDOMAIN created at step 2
 
 ![Import project](/images/Keycloak/import_project.png)
 

authentication/AzureAD/azuread-odm-script.zip

@@ -22,5 +22,5 @@
                        issuerIdentifier="${ServerHost}/v2.0"
                        authorizationEndpointUrl="${ServerHost}/oauth2/v2.0/authorize"
                        tokenEndpointUrl="${ServerHost}/oauth2/v2.0/token"
-                       userIdentifier="aud" groupIdentifier="groups" audiences="ALL_AUDIENCES"/>
-</server>
+                       userIdentifier="identity" groupIdentifier="groups" audiences="ALL_AUDIENCES"/>
+</server>