icCube

Azure AD B2C Authentication

Starting with v7.2, icCube can authenticate users against an Azure AD B2C server.

Application Registration

icCube is going to connect to an Azure AD B2C Application Registration. So first you'll have to setup such an application and generate a client secret and then setup the service/filters in icCube.xml using the different tenant/application IDs (see below).

Microsoft Graph Permissions

icCube is using the Grap API (https://graph.microsoft.com/v1.0/me) to request user's information. So ensure the registered application has the necessary permissions:


Directory.Read.All
Directory.ReadWrite.All  (required for POST requests but icCube does NOT write anything)
    

Groups/Roles

Azure AD B2C groups are mapped to icCube roles using the Group Object ID as icCube role names. You can use the optional icCube role's description to store the actual Azure AD B2C group name for an easier role setup. icCube requires having the groups in the accessToken claim. So ensure to have setup the application manifest as specified here:


"groupMembershipClaims": "SecurityGroup",
    

Authentication Service

Within icCube.xml setup the Azure AD authentication service:


<service-class>crazydev.iccube.server.authentication.azureadb2c.AzureADB2CAuthenticationService</service-class>

<!--
    Optional parameter defining the Azure AD group used as icCube administrator role.
-->
<param>
    <name>ic3.admin.group.oid</name>
    <value>00d2f22a-102c-4667-b995-35cb48114703</value>
</param>

<!--
    Optional parameter defining the default user's locale.

    The default locale is used if both the Azure AD "preferredLanguage" and "usageLocation" attributes
    does not contained any known language/country to determine the user's locale.
-->
<param>
    <name>ic3.default.locale</name>
    <value>fr_FR</value>
</param>
    

Filters

Setup the following icCube.xml filters:

<filter>
    <filter-name>Azure AD B2C</filter-name>
    <filter-class>crazydev.iccube.server.authentication.azureadb2c.AzureADB2CFilter</filter-class>

    <!--
         Application

           Application (client) ID : 3f13650f-fbcb-4896-a910-...
           Directory (tenant) ID   : 15fe8d57-9ae8-4209-966b-...

           Client Secret

             ic3 Dev. App Secret   : -f1S@TotrC95]F:7I6YK[Lc:...

    -->

    <init-param>
        <param-name>clientId</param-name>
        <param-value>3f13650f-fbcb-4896-a910-...</param-value>
    </init-param>

    <init-param>
        <param-name>clientSecret</param-name>
        <param-value>-f1S@TotrC95]F:7I6YK[Lc:...</param-value>
    </init-param>

    <init-param>
        <!--
            https://login.microsoftonline.com/{Directory (tenant) ID}/
        -->
        <param-name>authority</param-name>
        <param-value>https://login.microsoftonline.com/15fe8d57-9ae8-4209-966b-.../</param-value>
    </init-param>

    <init-param>
        <!--
            Optional parameter when icCube is behind a proxy to fix the redirect URI:
               proxyInternal is replaced by proxyExternal
               
            For example, icCube is behind an Apache server accepting HTTPS connections and configured
            as a reverse proxy to icCube accepting HTTP connections.     
        -->
        <param-name>proxyInternal</param-name>
        <param-value>http://localhost:8282</param-value>
    </init-param>

    <init-param>
        <!--
            Optional parameter when icCube is behind a proxy to fix the redirect URI:
               proxyInternal is replaced by proxyExternal

            For example, icCube is behind an Apache server accepting HTTPS connections and configured
            as a reverse proxy to icCube accepting HTTP connections.     
        -->
        <param-name>proxyExternal</param-name>
        <param-value>https://localhost</param-value>
    </init-param>

    <init-param>
        <!--
            As defined in Azure AD application registration.

            Do not change the trailing URL: icCube/console/aad/login
        -->
        <param-name>redirectUriSignIn</param-name>
        <param-value>https://localhost/icCube/console/aad/login</param-value>
    </init-param>
</filter>

<filter>
    <filter-name>Passthrough</filter-name>
    <filter-class>crazydev.iccube.server.authentication.passthrough.IcCubePassthroughAuthenticationServletFilter</filter-class>
</filter>
    

Components/Services Configuration

Ensure the UX, Reporting and GVI components/services are using the authentication filters as following:

<uxComponentConfiguration>
    
    <static>

        <param>
            <name>cacheControl</name>
            <value>public, max-age=31536000</value>
        </param>

        <filter>Azure AD B2C</filter>
        <filter>Passthrough</filter>

    </static>
    
    ...
    
<reportingComponentConfiguration>
    
    ...
    
    <filter>Azure AD B2C</filter>
    <filter>Passthrough</filter>
    
    ...
        
<gviComponentConfiguration>

    ...

    <filter>Azure AD B2C</filter>
    <filter>Passthrough</filter>
    <filter>GVI Authentication (logout)</filter>
    
    ...
    

Support

Should you have any question please do not hesitate to contact our support or contact us via our Web site.



Next chapter : Configure SSL (HTTPS) connector.