How To Configure SSO with Azure AD

FAQs
,
1

Hi there

Recently we have been struggling to get SSO with Azure to work on our Node-RED applications.
We have a specific Active Directory group called "ADGroup_NodeRed" and we only wanted users in that group to be able to log into Node-RED.
So, I thought it was a good idea to post our learnings here to help someone else if they have the same problem.

This post helped a lot as a starting point.

For SSO to work, the following must be in place on Azure:
1. An application is registered on Azure so that we can get the following information:
a. Client ID
b. Tenant ID
c. Client Secret
2. The Azure application has a correctly configured token (see below).
3. The correct AD Group is specified on the application.
4. The redirect URL is configured on the application.

Azure Token Configuration
In Azure, under "Token Configuration", ensure that "groups" is one of the claims that are configured. If you edit the "groups" options (three dots), make sure that "sAMAccountName" is selected. This ensures that Azure replies to Node-RED with the group name. Other claims that we have in this page are "acct" and "email".

Node-RED Configuration
We need the node-red-contrib-passport-azure-ad module to be installed. I installed it via "Manage palette" in the Node-RED GUI, but you should be able to install it via npm:

npm install node-red-contrib-passport-azure-ad

Next we need to edit the Node-RED settings.js file:

  1. Comment the current "adminAuth" section out, since there can only be one of these sections in the settings.js file (this means you cannot have local accounts AND Active Directory accounts using Node-RED!).
  2. Create a new "adminAuth" section as follow:
adminAuth: {
	type: "strategy",
	strategy: {
		name: "azuread-openidconnect",
		label: 'Sign in with Azure',
		icon: "fa-windows",
		strategy: require("passport-azure-ad").OIDCStrategy,
		options: {
			identityMetadata: "https://login.microsoftonline.com/###YOUR AZURE TENANT ID###/v2.0/.well-known/openid-configuration",
			clientID: "###YOUR AZURE CLIENT ID###",
			clientSecret: "###YOU AZURE CLIENT SECRET###",
			responseType: "code",
			responseMode: "query",
			redirectUrl: "###URL to Node-RED###/auth/strategy/callback",
			allowHttpForRedirectUrl: true,
			scope: ['email', 'profile'],
			verify: function (profile, done) {
				// Custom logic to verify group membership
				const requiredGroup = 'ADGroup_NodeRed';
				// Check if the user belongs to the required group
				if (profile._json.groups && profile._json.groups.includes(requiredGroup)){
					// User is in the required group
					profile.username = profile._json.preferred_username;
					done(null, profile);
																						  }
				else {
					//User is not in the required group
					done(new Error('User is not in the correct AD Group.'));
					  }
				
												}
					},
				},
	users: function (user) {
		return Promise.resolve({ username: user, permissions: "*" });
							}
			},
  1. Restart your Node-RED application to apply the new settings.js file. You should then be greeted with a login screen in Node-RED GUI like this.
    Node-RED_Login
5 Likes
2

Brilliant, thanks for sharing this. You may want to consider changing the category to "FAQs" as this question does come up from time-to-time.

Also worth pointing out that there is another way to use Node-RED with Azure and that is to use a web app which lets you run Node-RED behind IIS as a proxy. Logins can then be arranged via IIS and its integrated link to Azure Active Directory.

In terms of enterprise-grade production security, doing authentication in a more dedicated tool rather than putting all eggs into the Node-RED basket is often preferred. Additionally, I would strongly recommend the use of things like Web Application Firewalls to augment the security for any Internet-facing production service. Risk levels vary of course, depending on where you and your customers reside and what business sector they are in but certainly in cases where nation-state level attacks are likely (sadly an increasing problem in the world), relying purely on a single level of security would be unwise.

Anyway, apologies for adding the above, you are probably aware but I wanted to make sure that other people seeing this don't make too many assumptions.

3

Hi @TotallyInformation, thank you for the feedback. I tried changing the category just now, but "FAQs" is not an available option. This is why I opted for "General". It might be that my account is still limited in what I can post since I only created it today.

4

My bad, it may be a restricted category. Not to worry, I've moved it over for you. Thanks again for the contribution.

1 Like
5

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.