2. OAuth Provider Setup
- Rakesh Chandran
- Harish Agrawal
Roost supports various authentication mechanism as shown below
Following information is to set up anyone of the oAuth for Roost Control Plane using either GoogleAuth or Okta
OKTA Auth Client Setup
Sign in to your OKTA account with admin privileges (If you do not have an existing Okta account, then sign-up at Home | Okta Developer )
From the left navigation menu, go to Applications -> Applications.
Select Create App Integration → OIDC - OpenID Connect → Web Application, then click Next
Fill in the suitable App integration name, upload the logo.
Add Sign-in redirect URIs
https://<DNS_NAME>/login
Allow Access to users thru Assignments → Controlled Access
Select the groups of users or Allow access to everyone
Save and Make a note of the Okta Client ID and the Client Secret (It is needed later in the config below)
From the left navigation menu, go to Security -> API
Make a note of Issuer URI for default Authorisation Server
something like https://{your_domain}.okta.com/oauth2/default
Google Auth Client Setup
Integrating Google Sign-In into your web app | Google Sign-In for Websites | Google Developers
Create Credentials, Select OAuth Client and Application Type as Web Application
Add Authorised JavaScript Origin as
https://<DNS_NAME
Add Authorised redirect URIs
https://<DNS_NAME>/login
https://<DNS_NAME>/api/auth/redirect/google
Download the JSON
Make a note of the Google Client ID and the Client Secret (It is needed later in the config below)
Azure ADFS Auth Client Setup
Roost 0Auth2 Setup - Windows Server 2016/2019 - ADFS 4.0
Open the Server Manager from Start Menu, Select Tools > AD FS Management
From the AD FS Management screen, go to AD FS ➜ Application Groups
Click Add Application Group on right panel
Fill in a name (Roost) for the application group
Select Server Application Web browser accessing a web API and click Next
Make note of the Client Identifier value. This will be the value for the
AZURE_ADFS_CLIENT_IDvariableFill the Redirect URI (https://zbio.roost.io/login ) and click Add, then Next
Check the Genrate a shared secret box
Use the Copy to clipboard button to retrieve the secret. This will be the value for the
AZURE_ADFS_CLIENT_SECRETvariable. Click NextEnter the Web API identifier (Same as RedirectUri - https://zbio.roost.io/login ) and click Add, then Next
On the Access Control Policy screen, select a policy, usually Permit everyone and click Next
On the Configure Application Permissions screen, select the scope openid and click Next
Review the settings and click Next
Close the wizard by clicking Close. Our application is now registered in ADFS.
Now, we need to Configure the Claims for Application
Open the Properties for the application group we just created.
Select the Web application entry (Roost - Web API) and click Edit
On the Issuance Transform Rules tab, click the Add Rule button
Select Send LDAP Attributes as Claims and click Next
Give the rule a name (Roost Claims) and select Active Directory as the attribute store.
Now configure the below claims (LDAP Attribute => Outgoing Claim Type):
E-Mail-Addresses => E-Mail Address
Given-Name => Given Name
Surname => Surname
SAM-Account-Name => Windows Account Name
User-Principal-Name => UPN
Click Finish to save the claims
You should now see the rule added. Click OK a couple of times to save the settings.
Now the setup is complete. We set these 3 values as environment variables:
AZURE_ADFS_CLIENT_ISSUER- Domain of ADFS Server (https://adfs.contoso.com)AZURE_ADFS_CLIENT_ID- Client Identifier of server applicationAZURE_ADFS_CLIENT_SECRET- Client Secret we copied to clipboard
If don’t want to use Client Secret, then Add an Native Application and pass AZURE_ADFS_CLIENT_SECRET variable as empty