SSO OAuth (Microsoft)

  • Updated on Nov 13, 2024
  • Published on Nov 13, 2024
  • 2 minute(s) read
  • aA
 Prev Next

FMADIO Capture devices can authenticate the users using Active Directory via the OAUTH 2.0 protocol. This enable Single Sign On with ADFS.

The example described below, assumes the FMADIO can directly access the OAUTH server. In most cases a proxy is required which is described at the end of the document.

Step 1) OAUTH Config

Next create a file name

/opt/fmadio/etc/oauth_opts.lua

This file contains the ADFS OAUTH End points as follows

local config =
{
    redirect_uri                = "https://fmadio100v2-ip-address:443/secure/",
    discovery                   = "https://login.microsoftonline.com/571b0fe2-75cb-48de-9144-0cb928e90751/v2.0/.well-known/openid-configuration",
    client_id                   = "d41c59e7-6906-4569-9cc0-c6762541d2cd",
    client_secret               = "fSY7Q~dkbG~mHlJYipKiC0XCMhnXQbOkOP5iE",
    ssl_verify                  = "no",
    scope                       = "openid email profile",
    redirect_uri_scheme         = "https",
    proxy_opts =
    {
        https_proxy             = nil,
    }
}
return config

These fields are from the ADFS Endpoint URI information, for example as follows. We created a fmadio sign in entry, this has the following client_id entered above.

The "discovery" config in the above needs to be the OpenID Connect Metadata document, as seen below.

the "client_id" is the shown below

The "client_secret" in the above config needs to be the Value shown below, not the secretID

Finally the "redirect_uri" needs to be registered as follows.

Once config is complete, please confirm no syntax errors by running 

fmadiolua /opt/fmadio/etc/oauth_opts.lua

Correct output is as follows, if there are any syntax errors please correct.

Step 2) Restart nginx

Restart nginx to load in the new configuration file, by killing the process as below. It will reswpan on a 1min cron job automatically

sudo killall nginx

It can take 60 to 120sec for nginx to restart again.

Step 3) Logging in

Next point a browser to the FMADIO device, it should redirect you to the Active Directory login page as follows.

Login to the system using your Azure / Microsoft credentials. Then the FMADIO device dashboard will be shown as below

Step 4) Logout

Logout is the same, using the logout button shown below

Then choose an account to sign out of

Proxy Setting

This example above assumes the OAUTH server can be access directly from the FMADIO. In most cases this is not possible, instead there is a proxy which external web access must be routed through. FMADIO only supports HTTPS thru a HTTP proxy on the local network. This Proxy can then reach out to the external authentication service (such as login.microsoftonline.com ). Its likely this proxy will need some tweeks / access controls to allow the FMADIO system to communicate with the authentication service.

To configure this, update the oauth_opts.lua configuration file as follows

local config =
{
    redirect_uri                = "https://fmadio100v2-ip-address:443/secure/",
    discovery                   = "https://login.microsoftonline.com/571b0fe2-75cb-48de-9144-0cb928e90751/v2.0/.well-known/openid-configuration",
    client_id                   = "d41c59e7-6906-4569-9cc0-c6762541d2cd",
    client_secret               = "fSY7Q~dkbG~mHlJYipKiC0XCMhnXQbOkOP5iE",
    ssl_verify                  = "no",
    scope                       = "openid email profile",
    redirect_uri_scheme         = "https",
    proxy_opts =
    {
        https_proxy             = "http://local_http_proxy:portnumber",
    }
}
return config

Note the URL end point must be http (not https) even tho the final end point is aTLS connection.