~/$ cat traefik-az-sso.md

Traefik - Replacing Basic Authentication with Azure SSO Using ForwardAuth

#traefik#azure#docker

Out of the box, Traefik has a simple basic auth middleware that can be used for proxied apps that don't have their own authentication solution.

If you followed myĀ Traefik configuration guide, you would already be using Traefik'sĀ basic authentication solution. In this guide, we'll be replacing this middleware withĀ FowardAuth.

Why not BasicAuth?

BasicAuthĀ is a quick and easy solution to secure a service you're not exposing publicly. However, its lack of MFA and having to enter a username and password when switching between services was enough to make the switch. It also gives me an opportunity to learn something new, which is always welcome.

FowardAuth

FowardAuthĀ is Traefik's built-in solution for forwarding Authentication to an external auth service. OAuth & OIDC services are supported. Previously, I had set this up with Google SSO using Google's Cloud API. In this guide, we'll be configuring SSO using Azure Active Directory.

img

We will supplement the ForwardAuth middleware with thomseddon'sĀ Forward Auth docker image. This will be our dedicated endpoint for all authentication requests.

Add a DNS entry

From your DNS provider, add a new entry for your auth endpoint. I suggest using something like 'auth.subdomain.example.com' or 'aad.subdomain.example.com'.

Here's the entry I've added in Cloudflare:

img

Nyx is the subdomain configured with the SANS certificate in my Traefik guide

Create the Azure App

From the Azure Portal, navigate to theĀ App Registrations bladeĀ and clickĀ New Registration.

Give it a relevant name and add a web redirect URI with your newly created subdomain E.g https://[serviceUrl]/_oauth. Click Register.

{{< alert icon=lightbulb >}} The Azure interface only lets you add one redirect when creating a new registration. Additional URIs can be added from the Authentication tab after creation.

It's important to add the URL for each of the services you want to protect with SSO. {{</ alert >}}

UnderĀ Certificates & Secrets, generate a new secret for the application. Make sure to copy it and keep it somewhere safe. Secrets will only appear once.

Create the Auth Container

Next, we're going to create our Auth container using thomseddon'sĀ Forward Auth docker image. In my config, I've tacked this onto my Traefik docker-compose file:

auth:
    container_name: auth
    image: thomseddon/traefik-forward-auth:latest
    depends_on:
      - traefik
    networks:
      - traefik
    environment:
      - DEFAULT_PROVIDER=oidc
      - PROVIDERS_OIDC_ISSUER_URL=https://sts.windows.net/[tenantID]/
      - PROVIDERS_OIDC_CLIENT_ID=[clientID]
      - PROVIDERS_OIDC_CLIENT_SECRET=[clientSecret]
      - COOKIE_DOMAIN=[yourDomain]
      - LOG_LEVEL=debug
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.auth.entrypoints=http"
      - "traefik.http.routers.auth.rule=Host(`aad.[subdomain.example.com]`)"
      - "traefik.http.middlewares.auth-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.routers.auth.middlewares=auth-https-redirect"
      - "traefik.http.routers.auth-secure.entrypoints=https"
      - "traefik.http.routers.auth-secure.rule=Host(`aad.[subdomain.example.com]`)"
      - "traefik.http.routers.auth-secure.tls=true"
      - "traefik.http.routers.auth-secure.service=auth"
      - "traefik.http.services.auth.loadbalancer.server.port=4181"
      - "traefik.docker.network=traefik"
    restart: unless-stopped
networks:
  traefik:
    external: true

Make sure to check all environment variables and labels to ensure you've removedĀ ALLĀ placeholders.

Create/Update the Auth Middleware

In the Traefik config file, add or update your auth Middleware to the following:

http:
  middlewares:
    auth:
      forwardAuth:
        address: "http://auth:4181"
        trustForwardHeader: true
        authResponseHeaders:
          - "X-Forwarded-User"

Add the Auth Middleware to Your App

To require AAD authentication on a container or service, just update your middleware label to include 'auth@file'. Here's an example:

- "traefik.http.routers.traefik-secure.middlewares=ipWhiteList@file, auth@file"

{{< alert >}} IMPORTANT:Ā Make sure you include each service in your App Registrations Redirect URI list. The list should include all hosts you intend to authenticate from. {{</ alert >}}

If you see the message below, the URL you're trying to access is not in the App Registrations URIs:

img

Also check that the URI is in https://[serviceUrl]/_oauth format

Test Your Apps

Now if you go to one of the hosts you've configured for auth, you will be swiftly redirected to your organisation's login page:

img

Because we've configured a persistent cookie across our domain, you'll only need to sign in once. Pretty neat!

Troubleshooting

As with any undertaking like this one, you're more than likely to run into some problems along the way. Both Traefik and thomseddon's forward auth containers have great logging, which was invaluable when configuring the solution.

Logs can be viewed from your docker host server using:

docker logs auth

and:

docker logs traefik

with 'auth' and 'traefik' being the names of the respective containers. There is also plenty of helpful documentation on theĀ GitHub repo:

github.com/thomseddon/traefik-forward-auth