Users authentication with OpenID and Azure AD
The instructions below are only valid for Allure TestOps 4.x.
Allure TestOps 5.x does not yet support authentication using OpenID.
Prerequisites
- You need to have administrative access to your Azure AD or an admin near you.
- You need the access to Allure TestOps configuration files.
- You need to be able to apply the changes in the configuration, which could require some downtime.
- Allure TestOps needs work behind HTTPS, i.e. there must be something like reverse proxy between Allure TestOps and GSuite servers. Please consult your network administrator or DevOps to ensure proper configuration on the network side.
Integration of Allure TestOps and Azure AD
Given
- Allure TestOps is deployed and accessible on
http://allure.local
your URLs definitely will be different. - Your Azure AD instance settings are available here: https://portal.azure.com
Configuration on Azure AD side
Here is Microsoft's guide on how to make all the needed preparations for the integration: Open the link
On the previous step we've got the following parameters we are going to use for the integration:
- Application (client) ID.
- Client's secret (token).
- OpenID connect metadata
Application ID
Client's secret
OpenID connect metadata
This parameter is to be used without this part: .well-known/openid-configuration
Configuring Allure TestOps
For Kubernetes deployment you need to configure the integration with Azure via the variables in the env.open
section of values.yaml file.
env:
open:
# This parameter is responsible for matching group role attribute
ALLURE_LOGIN_OPENID_GROUPROLEATTRIBUTE: role
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_OIDC_CLIENTNAME: Azure
# Your clientId (Get one from OIDC provider), described above in Azure configuratin section
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_OIDC_CLIENTID: <Application (client) ID>
# Your clientSecret (Get one from OIDC provider)
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_OIDC_CLIENTSECRET: <Client secrets (Token)>
# This parameter lets know where your OIDC provider is going to redirect client after successful login
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_OIDC_REDIRECTURI: https://<your-domain>/login/oauth2/code/allure
# URL of your auth provider, described above in the secion of Azure configuration
SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_OIDC_ISSUERURI: <OpenID Connect metadata>
# This parameter tells Allure TestOps whet to use as username. It could be be email or preferred_username
SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_OIDC_USERNAMEATTRIBUTE: email
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_OIDC_SCOPE: openid,email,profile
# other parameters present in the values file are not required by Azure OpenID integraion
# Syncs User Role by Group membership on any login
ALLURE_LOGIN_OPENID_SYNCROLES: false
# Maps your OIDC groups on Allure Groups
ALLURE_LOGIN_OPENID_GROUPAUTHORITIES_ROLEUSERGROUPS: allure_users
ALLURE_LOGIN_OPENID_GROUPAUTHORITIES_ROLEADMINGROUPS: allure_admins
Now, you need to update your Allure TestOps configuration as usual for Kubernetes installation using Helm's commands. to use Azure AD as Identity provider.
Setting the default authentication way
When you've updated the settings and these were successfully applied, you need to check the authentication by trying to log in using the following URL:
http://allure.local/login/oauth2
,
Your URL will differ. Only this part you need to take for test from this guide: /login/oauth2
When you've successfully tested the authentication, you can switch to OpenID as main authentication method.
In values.yaml file, set the auth.primary
option to “openid”.
auth:
primary: openid
Now, you need to update your Allure TestOps configuration as usual for Kubernetes installation using Helm's commands. to use Azure AD as Identity provider.
Setting the default role for new user registering via OpenID/AzureAD
Why
If no additional setting made all new users will have ROLE_USER
by default and will consume 1 license.
What
To prevent new users consuming the licenses you need to define the default role for them as ROLE_GUEST
, when they register in the system using openid/azuread. This will ensure they will have read only access by default and won't consume any licenses in the system.
How
Name of the configuration parameter will vary depending on the deployment type.
In values.yaml file, the parameter defaultRole
need to be set for setting the default role for a new user which logs in to Allure TestOps using OpenID.
auth:
primary: openid
# Allowed roles: ROLE_ADMIN, ROLE_USER, ROLE_GUEST, preferred ROLE_GUEST + sync of roles.
defaultRole: ROLE_GUEST