Jump to content
  • Import Azure external roles when using Oauth authentication to JasperReports Server


    Starting from JasperReports Server 9, the possibility of activating OAuth via the server configuration has been introduced.

    More details can be found here:

     

    Sometimes instead of having an explicit mapping between external roles and internal roles, you may want to simply import the roles that are attributed to the user externally on the OAuth provider, for example Azure.

    This guide shows how to import external roles with their name JasperReports Server, and instead of importing the role id (i.e.:EE09FBEB_030C_4279_8621_84DB528488D1)  we will import the role name(i.e.:ROLE_TEST) .

    In the jasperserver-pro/WEB-INF/classes/oauth-clientconfig.properties file, configure the property spring.security.oauth2.user.attributes.mapping.roles=roles. This value indicates the key of the JWT token that contains the roles, in the case of Azure roles.

    Once this is done, you need to carry out further configuration on Azure.

    1) Login to the Microsoft Azure portal and navigate to the Microsoft Entra ID service, then click on the App registrations blade.

    image.thumb.png.593b64246798971a7199c171f6dee562.png

    2) Locate your App registration and click on it.

    3) Expand the Manage sidebar menu, and click on the Manifest blade.

    image.thumb.png.428294003ee3969b9c04b25db75a5099.png

    4) Download the Microsoft Graph App Manifest to keep as a backup, just in case.

    image.thumb.png.a4b56a3f557e8e06996e6b7d2d15ab8a.png

    5) Locate the setting groupMembershipClaims and ensure it is set to ApplicationGroup. This option includes only groups that are assigned to the application.

    Before changing this value, ensure that the groups you wish to include in your claims are attached to your Microsoft Entra ID application. Failure to do so may result in unexpected behavior including the removal of group memberships used for role bindings. For more information on how to add groups to your Microsoft Entra ID application, see the Microsoft documentation .

    image.thumb.png.c9ea61296fa4d15e3c1a7833df0face5.png

    6) Locate the groups claims under the optionalClaims section of the manifest. There should be three, one under accessToken, one under idToken, and one under saml2Token. Edit the additionalProperties field of the groups claims for the idToken only. You will change the additionalProperties field to look like this:

    ...
        "optionalClaims": {
            "idToken": [
                {
                    "name": "groups",
                    "source": null,
                    "essential": false,
                    "additionalProperties": [
                        "sam_account_name",
                        "cloud_displayname"
                    ]
                }
            ],
    ...

    7) Save your changes.

     

    When you log in to JasperReports server, the external role will be assigned to the current user and if it does not already exist, it will be created (and marked as external)


    User Feedback

    Recommended Comments

    There are no comments to display.



    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

×
×
  • Create New...