Configure to use Entra ID

[stich86]

Hi guys,

has anyone implemented the auth using Entra ID?
I want to make it works for WebClient login.

Any help is really appreciated

thanks

[stich86]

Just for refence, I've succesfully configured Open ID with Entra, here my example configuration for env.d/oidc.env:

SFTPGO_HTTPD__BINDINGS__0__OIDC__CLIENT_ID="YOUR_APP_ID"
SFTPGO_HTTPD__BINDINGS__0__OIDC__CLIENT_SECRET="YOUR_APP_SECRET"
SFTPGO_HTTPD__BINDINGS__0__OIDC__CONFIG_URL="https://sts.windows.net/TENANT-UID/"
SFTPGO_HTTPD__BINDINGS__0__OIDC__REDIRECT_BASE_URL="https://YOUR_APP:8080/"
SFTPGO_HTTPD__BINDINGS__0__OIDC__USERNAME_FIELD="email"
SFTPGO_HTTPD__BINDINGS__0__OIDC__ROLE_FIELD="sftpgo_role"

I had some problem using CONFIG_URL with login.microsoft.com, so I've used sts.windows.net with Tenant ID

On Entra, I've created a App that use "Web" as authentication, and send "email" as token, then make Graph authorization to read also email from user profile. I think also username can be used

Still working on how to make sftpgo_role to work for admin users

[stich86]

ok i've got also sftpgo_role working for admin :)

Step done:

Under App Registration\App Roles add new role like this (admin should be lower case, sorry i've transled the page on the fly with Safari and make it upper case):

Then go into Enterprise App, select the SFTPGo registered app and add the admin users under Users & Group, you will have only sftpgo_role used for admin login.

Please note that you need to create the user account with Entra ID email address under Administrators into SFTPGo interface.

[hpst3r]

First, thank you very much for opening this issue @stich86, this was very helpful. I probably wouldn't have tried to use sts.windows.net for the config_url without it.

I figured I could probably add a few Entra screenshots in case anyone else stumbles across this in the future.

When I tried to use login.microsoftonline.com/tenantid/v2 (or something) rather than sts.windows.net, I got "invalid OIDC token" errors from the web UI on a login attempt:

Logs showed a "oidc: logout url response code 200" from httpd. I suspect this is what @stich86 ran into?

In case this helps anyone, here is my SFTPGo OIDC & Entra Application config to use "upn" (user principal name, email - requires no extra config):

"oidc": {
  "client_id": "redacted",
  "client_secret": "redacted",
  "client_secret_file": "",
  "config_url": "https://sts.windows.net/tenantid/",
  "redirect_base_url": "https://sftpgo.domain.foo/",
  "scopes": [
    "openid",
    "profile",
    "email"
  ],
  "username_field": "upn",
  "role_field": "",
  "implicit_roles": true,
  "custom_fields": [],
  "insecure_skip_signature_check": false,
  "debug": false
},

You can find your tenant ID in the Identity > Overview section of the Entra admin center (entra.microsoft.com) under Basic Information.

In Entra, my configured Redirect URI is "https://sftpgo.domain.foo/web/oidc/redirect".

To register an App, navigate to the Entra admin center (entra.microsoft.com), expand "Applications" in the left-side nav pane, and select "App Registrations". Then, fill in your app name, select which Microsoft accounts should be allowed to authenticate, and enter a redirect URI ("https://my.SFTPGo.com/web/oidc/redirect").

Client ID can be found under the App Registration:

Create a Client Secret under the App Registration (via App Registrations > SFTPGo > Certificates & secrets > New client secret). The Value is your "oidc": {"client_secret"} value.

Then, assign users to the "Enterprise Application" (different tab):

Finally, once you've created users with usernames that match the UPNs (ex.: username 'foo@bar.baz' in SFTPGo) your users should be able to click that magic "Sign in with OpenID" button and get dropped into the web UI.