Spike: log in to local Benefits Admin with Microsoft SSO

[angela-tran]

Research for #2266 and #2263

[angela-tran]

Added this just so the login page doesn't look as broken. Aware that we wouldn't want to add a file this large and probably want to clean up the organization of these SSO logo files. Anyways, the styling is not the focus of this spike, please ignore this

[angela-tran]

Current state

• My local Benefits Admin has a "Log in with Microsoft SSO" button
• I can log in to my local Benefits Admin with my [email protected] Microsoft account from the "Compiler LLC" tenant

Changes that were needed

In the Microsoft Entra admin center

Logged into entra.microsoft.com with my account in the "Compiler LLC" tenant.

Then, under "App registrations":

• Created a new app registration
  • For "Supported account types", I chose the "Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant)" option
  • Set the redirect URI to http://localhost:<port number>/microsoft_sso/callback since that's the default redirect URI in django-microsoft-sso
  • (Note that the app registration "belongs" to / is "in" the "Compiler LLC" tenant because that is the active tenant for my session)
• Created a new client secret for that app registration

Then, under "Enterprise apps":

• Found the "Enterprise application" corresponding to my app registration and went to the "Users and groups" tab
• Added my [email protected] account as a user

In our Django code

• Added a few MICROSOFT_SSO_... settings that were needed to settings.py:
  • MICROSOFT_SSO_ALLOWABLE_DOMAINS
  • MICROSOFT_SSO_APPLICATION_ID
  • MICROSOFT_SSO_CLIENT_SECRET
  • MICROSOFT_SSO_AUTHORITY
• Set the values in my .env file

Next steps

It was easy to add my account to the Enterprise Application's "Users and groups" because the app registration and my user account are in the same tenant. The next step is to figure out how accounts from other tenants are added to that list of users/groups who can authenticate into the app. This is what we'd need to allow transit-agency-staff users to log in using their Microsoft accounts from their Microsoft Entra ID tenants.

Some initial notes

• The first thing to figure out is if our use case fits that of a workforce tenant or external tenant
  • Workforce tenants are for collaboration between business partners who may need to access each other's Azure resources
  • External tenants are for Customer Identity and Access Management (CIAM) so basically it's for consumers and business customers who need to log in to your app
• It's not really clear to me which one we are. Right now, I think workforce tenant is more correct?
• The main difference from an implementation standpoint (as I understand it) is that:
  • with the workforce tenant approach,
    • we'd set up a "B2B collaboration" with the transit agency's workforce tenant
    • the app registration would be in our existing CDT workforce tenant
  • with the external tenant approach:
    • we'd create a new tenant (an External Tenant)
    • the app registration would be in this new external tenant
    • we'd configure sign-up and sign-in flows on the app registration
    • my impression is that this helps you have a cleaner separation between the guest users who are in your tenant because they actually might need to access your Azure resources (like how we are guests that access Azure Resources in CDT's tenant) vs. guest users who are in your tenant because they need to authenticate into your app

With that said about external tenants providing a "cleaner separation", I want to note that it seems you can also do some configuration with the B2B deployment using Microsoft Entra Identity Governance or entitlement management or something? Then there's something about catalogs and connected organizations? This is where I'm kind of reaching the limit of how much new Azure knowledge I can wrap my head around at a time. 😅

[angela-tran]

I'll demo this today in dev standup