I am trying to get SSO implemented with Azure AD connecting to Open ID Connect in ChirpStack, but it doesn’t seem to be working. I hit a loop where we get the error below.
Just for the sake of asking, do users already have to be in the user table before SSO will work?
I also have the ‘registration’ config variable set to true, so this shouldn’t be an issue unless the functionality is bugged.
Can anyone provide a sanitized example of how these fields would be populated, particularly the Email field? I am using the docker images at log level info, but it isn’t giving significantly helpful logs, debug didn’t give anything helpful either unfortunately. Getting a sample for this would be very helpful for my investigation, thanks.
We were thinking that may be part of the issue, but were having trouble modifying the code to debug. Is there any way to turn off the dependency on email_verified or is that fully integrated into the code, as I see the implementation of Azure AD I have to communicate with doesn’t have email_verified as a usual field.
There is no worry if this is not easily doable, I am just trying to get as many options as possible.
Isn’t there a way to make sure that Azure AD returns email_verifiedtrue? The reason why this is validated is that if an user already exists within ChirpStack the email will be used to associated the OIDC provided id with the user within ChirpStack.
Therefore you really want to make sure that the OIDC provided email is validated, as else there could be an option that somebody could hijack other accounts.
Do you have any (references to) documentation about the Azure AD returned claims?
I have contacted people to make changes, but I have hit another problem. I have asked the people that handle the Azure side of things to add email_verified as a field, so that part is fine, but I am now hitting an issue that might be related to GO itself, and you might be able to lend a hand to.
Our SSO is mostly working, but for the fact that the code cannot seem to handle email_verified, however the value arrives as a string, and we are now getting the error that it is not handling the unmarshal correctly as it only expects a bool.
I have seen an answer on StackOverflow surrounding a similar issue and this was the proposed fix. I suppose it tells the marshaller to potentially expect to parse a string?
I managed to get this working by adding assume_email_verified=true in the application server configuration. Thanks to the chirpstack team to get this new flag added in latest version of application server.
Now the user can be authenticated with Azure AD, and if the user is not present in the Chirpstack application, they will get the following screen after authentication is successful: As a global administrator, I can also see that user as present in the All Users section of the application.