• Configuration
  • Preparing your wiki
  • Registering for OAuth access
• FAQ
  • Can I login with Azure AD on both the main wiki and my subwikis?
  • How to sync the XWiki profile with the Azure-Active-Directory Account information?
  • I have an Active-Directory Server; can I use it with this app?
  • Can this app import user images? (avatars)
  • Can I block some users from logging in ?
  • Can I add login with the OAuth provider X/Y/Z ?
  • Can I use this service with our http-based wiki?
  • I meet the error that the return-URL is not allowed

Configuration

Preparing your wiki

Make sure that you know the (https) URL of your wiki.

Registering for OAuth access

1. Navigate to portal.azure.com , select "App registrations".

2. Click on "+ New registration"

3. Choose/add a name (that will be user visible) and the desired account types

• The return URL (Redirect URI in the portal) can generated later and copied from the Azure AD configuration section, in the wiki administration. It will be the login URL which the users will use, e.g. for main wiki - https://yourserver/xwiki/bin/login/XWiki/XWikiLogin
• Click on the Register button

4. Resulted App Overview

You are now defining what the "app" (the XWiki) as: 

• Display name
• Application (client) ID
• Directory (tenant) ID

Copy the client and tenant ids (using the roll-over-button "Copy to clipboard" can work well). You can go back later on the registered app, Overview section, to recopy them.

 5. Click on "Branding" from the left panel

• Add useful information as possible to get the trust of the users (for the wiki to access the permissions).

• Click on "Save"

 6. Click on "Authentication" from the left panel

• Click on "+ Add a platform" > Web
• Add the desired Redirect URI: e.g. main wiki - https://yourwikiserver/xwiki/bin/login/XWiki/XWikiLogin
• Optional - Add an Front-channel logout URL (an absolute URL such as https://yourwikiserver/xwiki/bin/view/AzureAD/OAuthLogout)
  
• Select "ID tokens"
  
• Click on the "Save" button

7. Click on "Certificates & secrets" from the left panel

• Click on "+ New client secrets"
• Add a Description and an Expiration time
• Click on the Add button
• Copy the Value field (using the roll-over-button "Copy to clipboard") and write it down (store it somewhere as it will become hidden and inaccessible - it will be used as secret key in the Azure AD configuration section of the wiki administration)

8. Click on "API permissions" from the left panel

• Click on "+ Add a permission"
  
• Select "Microsoft Graph"
  
• Select "Delegated permissions"
  
• Under "Select permissions" search and select openid, User.Read and User.ReadBasic.All 
  
• Click on the "Add permissions" button

We now have finished the configuration on the Microsoft side.

9. Log-in to the wiki as Admin

• From the Drawer access "Administer Wiki" >  "Extensions" > "Extensions"
• Search for Azure AD, install the appropriate version (install it on farm if you want to use it on both the main wiki and all your other subwikis) and get a License for it

10. Click on Other > Azure AD

• Input Client ID, Secret Value and Tenant ID as copied above
• The Return URL is computed by the server and it is optional to complete it
• From PERMISSIONS TO REQUEST select/unselect User image
• Click on the "Save" button

We now have finished on the XWiki side and can test the Azure AD login.
 

11. Logout or choose another browser to access the wiki if you want to still be logged in with an XWiki user in the current browser.

12. Click Login

• Click on "Login with Azure Active Directory"
  
• Fill in the credentials for the Microsoft account (also used to login in to https://portal.azure.com/)
• Accept the Permissions requested
  

FAQ

• Preparing your wiki
• Registering for OAuth access
• Can I login with Azure AD on both the main wiki and my subwikis?
• How to sync the XWiki profile with the Azure-Active-Directory Account information?
• I have an Active-Directory Server; can I use it with this app?
• Can this app import user images? (avatars)
• Can I block some users from logging in ?
• Can I add login with the OAuth provider X/Y/Z ?
• Can I use this service with our http-based wiki?
• I meet the error that the return-URL is not allowed

Can I login with Azure AD on both the main wiki and my subwikis?

Yes. For this option, we recommend you install the Microsoft Azure Active Directory Single Sign-On (SSO) (Pro) on farm from the start.

Then, you need to follow the steps shown in the Registering for OAuth access documentation section, and to add the obtained client ID, tenant ID, secret value on the main wiki administration > Other > Azure AD configuration.

It will not be needed to add a Redirect URL towards the subwiki login or to complete the Azure AD configuration from the subwiki administration. 

Once you finish the setup, you will obtain the following results:

• The ability to login from the main wiki with an Azure AD account.
• You can access a link towards the subwiki that was placed on a main wiki page without being prompted to login.
• When someone accesses directly a link from the subwiki Sandbox page, for example, and they will be able to login with an Azure AD account and it will show them the Sandbox page.

How to sync the XWiki profile with the Azure-Active-Directory Account information?

On the Administration section, the "Permissions to request" options allow the user to specify which information will be copied from the Azure Account to the XWiki profile upon login.

I have an Active-Directory Server; can I use it with this app?

No. This app is solely designed for the Azure Cloud based Active-Directory server by Microsoft Inc.
However, Microsoft offers methods to migrate from a local active-directory server to an Azure active directory service.

Can this app import user images? (avatars)

Yes, this app can do so if the accounts are allowed to use Outlook.

Can I block some users from logging in ?

Provided that a user has logged in with an AzureAD identity, a wiki page for this user has been created and can be modified.
Setting this user to inactive, or removing view rights on this user will prevent this AzureAD-based login to work.

Can I add login with the OAuth provider X/Y/Z ?

This app is based on IdentityOAuth which is designed to be used with multiple identity providers. Creating another provider requires implementing a provider java class as well as configuration XWiki objects and administration XWiki sheets. See the documentation there.

Can I use this service with our http-based wiki?

Except for ``localhost`` (including ``localhost:8080`, Azure Active Directory does not allow users to be sent to URLs that are not using the ``https`` protocol. Hence this app can be used for development but not for hosting a local http-based server.

I meet the error that the return-URL is not allowed

This error occurs as soon as the URL that was used by the XWiki server at time of configuring the administration is not the same as the URL configured in the Azure Active Directory service as redirect URL. Since XWiki can often be accessed from different URLs, it may be safer to configure the app with a hand-written redirect-URL.

Installation Steps

This paid extensions requires XWiki 13.10 or above. In order to install the extension, follow the next steps inside your XWiki instance (on cloud or on premise).

Navigate to the Extension Manager

In the Applications Panel click on "More Applications..." and then "Install new applications...". Alternatively navigate directly to the Administration and select the "Extensions" section.

Install the Extension

Search for the extension you wish to install and use the Install button to install it.

Get a License

Navigate to the "Licenses" section of the Administration, fill your details, look for the extension you just installed in the live table and click the buttons to get a trial license or to buy a license.

Install the License

If you have selected a trial license then you're good and there's nothing else to do. Your trial license is automatically installed.

However if you've selected to buy a license you'll be redirected to a page to perform the payment. At the end you need to come back to the "Licenses" administration section and click on the "Check for Updates" button. This will download and apply the license you bought.

Use the Extension

Start using the Extension! Refer to the extension's documentation to know how to use it.

Installing Paid Apps on Subwikis

If you want to install an application on the whole farm (main wiki + subwikis), you can do so directly from the main wiki’s Extension Manager, as seen below:

Extensions can also be installed only on a particular subwiki by global admins. Subwiki admins will not be able to install these extensions due to their limited rights.

Uninstall the extension

To rapidly see the effect of the uninstall, you can navigate to the administration of Azure AD and deactivate the app.

You can then navigate to the wiki administration, Extensions section, search for the Microsoft Azure Active Directory extension and uninstall it. Check the Licenses tab for remaining dependency extensions, and search for them as well in the Installed Extensions so that you can completely remove the Azure AD application. There are curently 4 dependency extensions that need to be uninstalled: Configuration Pages for Microsoft Azure Active Directory Single Sign-On (SSO) (Pro), Identity OAuth (Pro), Microsoft Azure Active Directory Single Sign-On (SSO) (pro) API and Identity OAuth Integration (API).

See an example in the image gallery below:

Options

The price is per year and varies depending on the support level and the number of users.

Benefits

What do you get when you purchase an XWiki extension?

How to Buy

To buy, install this extension from inside your XWiki instance and follow the instructions.

Release notes

v1.6

Bugs fixed:

• #14 Setting the scope of the ConfigurableClass of the AzureADConfig page to 'wiki level' breaks authentication on XWiki 13.7+
• #17 The homepage of the application is not hidden so it's visible in the page tree and in search

Upgrades:

• #26 Upgrade parent to 13.10-3.
• Licensing Application 1.24.1
• Identity OAuth Integration 1.6

v1.5.9

Dependency upgrades:

• Identity OAuth Integration 1.5.3

v1.5.8

Bugs fixed:

• #23 Login button is missing since 1.5.6 version

Dependency upgrades:

• Identity OAuth Integration 1.5.2

v1.5.7

Dependency upgrades:

• Identity OAuth Integration 1.5.1

v1.5.6

Bugs fixed:

• #11 Sporadic failed authentication when provider becomes null

Dependency upgrades:

• Identity OAuth Integration 1.5

v1.5.5

Bugs fixed:

• #11 Access to subwiki forbidden if the View right is allowed for any group either on the main wiki level or subwiki level, and there are still rights issues after removing the right
• #12 Login option is shown after uninstalling the Microsoft Azure Active Directory Single Sign-On (SSO) (Pro)

Dependency upgrades:

• Identity OAuth Integration 1.4.1

v1.5.4

Dependency upgrades:

• Licensing Application 1.22.1
• Identity OAuth Integration 1.4

v1.5.3

Update the application description

v1.5.2

Update the Licensing dependency version to 1.22

v1.5

Bugs:

• #2: Failed to instantiate AzureADIdentityOAuthProvider

v1.4

Bugs:

• #5: The login button is not displayed
• #4: Broken login after reinstall on farm
• #2: Failed to instantiate AzureADIdentityOAuthProvider

Also update the licensor and Identity OAuth versions.

v1.2

• #6: Azure users with empty name get an error upon login

v1.1

• #1: Polish project descriptor

v1.0

Initial release.

Extension details

License

• GNU Lesser General Public License 2.1

Sources

• https://github.com/xwikisas/integration-azure-oauth/tree/master/integration-azure-oauth-ui

Issues

• GitHub

Type

• xar

Developed by

• XWiki SAS

Compatibility

• Requires XWiki 13.10 or above.

Dependencies

• com.xwiki.integration-azure-oauth:integration-azure-oauth-admin-ui 1.6
• com.xwiki.licensing:application-licensing-licensor-api 1.24.1