Hi guys, its posible to get azure users and groups with azure OIDC integration?

Have you looked at https://datahubproject.io/docs/metadata-ingestion/source_docs/azure-ad/?

and if and usert its login with OIDC and the azure ad is ingested, it will automatically mapped to groups?

I think yes that is how Azure AD connector is working.

i will try, thx 😄

Did this work out for you? https://datahubspace.slack.com/archives/C029A3M079U/p1642604154189100

it work if i remove the groups from scope

I had the same issue. I also removed groups from the oidc scope, and also can't seem to get the users and groups linked in the ad import.

Can someone please log an issue in github for this so it can be tracked and solved? https://github.com/linkedin/datahub/issues/new/choose If either of you is interested we are always looking for contributions. You can ask questions about contributing in #contribute channel

i create this one (https://github.com/linkedin/datahub/issues/3920). Its my first time i hope its clear 😅

Thanks, @few-air-56117! We’ll reach out on the issue if there’s confusion. Is this related to your other question in #troubleshoot? https://datahubspace.slack.com/archives/C029A3M079U/p1642604154189100

Hi Maggie, yep (its the same problem), me and iasoon have the same issue

👍🏻 gotcha, thanks! I’ll work with the core team to get this prioritized teamwork

thanks 🙏

Can you check the URN for both? There has to be some difference between the 2 URNs

in azure its just one account with dragos.c. If i do just the ingestion, i will have 1 user. If i login with OIDC azure (for the first time) it will create another user ( even if its the same email)

Can you share the URN of the two?

I don’t know how to find them 😅

It should be

dragos.c

only. The OIDC one has some incorrect configuration. Can you check OIDC confif to see if these are present or not

AUTH_OIDC_USER_NAME_CLAIM=email
AUTH_OIDC_USER_NAME_CLAIM_REGEX=([^@]+)

they are not present in oidc login

I think you need to add at least this and restart frontend container

AUTH_OIDC_USER_NAME_CLAIM_REGEX=([^@]+)

either that or

azure_ad_response_to_username_regex: "(.*)"

for the AD ingestion

works, thx 😇

Did you get the OIDC groups claim to work in the end @few-air-56117?

yep

hi. Even though we managed to ingest the groups into Datahub, we are not able to see the users of each group. Additionally, the policies applied to a group don't seem to be applied to the users.

@few-air-56117 @quaint-branch-37931 thank you for the efforts here! Seems indeed it was about the unique identifier being different for batch ingestion and OIDC login ingest. Thanks for raising contribution here! @plain-lion-38626 when you ingest groups, did you ensure that ingest_users is also set to true? The batch connector should pull both into DataHub! Btw you can also create and manage groups within DataHub itself

Hi, the users are ingested but they don't keep the relationship with the group. The groups only imports the user count but not the users (or at least they are not shown when accessing the group). When you access a user you are able to see what groups they are part of but not the other way around. It would not be a problem but when we try to deploy a policy to a group the underlying users don't inherit the privileges.

Would you mind pasting your recipe config? I can take a deeper look today

hi

source:
  type: "azure-ad"
  config:
    client_id: "0000000-00000000-000000-00000-000000"
    tenant_id: "0000000-00000000-000000-00000-000000"
    client_secret: "000000000000000000"
    redirect: "<https://login.microsoftonline.com/common/oauth2/nativeclient>"
    authority: "<https://login.microsoftonline.com/0000000-00000000-000000-00000-000000>"
    token_url: "<https://login.microsoftonline.com/0000000-00000000-000000-00000-000000/oauth2/token>"
    graph_url: "<https://graph.microsoft.com/v1.0>"
    ingest_users: False
    ingest_groups: True
    ingest_group_membership: True
    ingest_groups_users: True
    azure_ad_response_to_username_attr: "userPrincipalName"
    azure_ad_response_to_username_regex: "(.*)"
    groups_pattern:
      allow:
        - "<name of group i'm importing>"
    users_pattern:
      allow:
        - ".*"

sink:
  type: "datahub-rest"
  config:
    server: "http://<ip_address>:8080"

@few-air-56117 @quaint-branch-37931 @big-carpet-38439 I'm late to the party, but I'm the original author of the Azure OIDC integration doc page and I will fix the

groups

in the scope. The reason it was there is because I never got the groups to work and it was on my to-do list to revisit this... and here I am! I thought it would work like Okta, so I just copied its doc page. I also want to update the Azure doc to explain how to configure the

groups

claim in the token configuration page, but before I do so, I want to make it work on my side to make the docs bulletproof. I have verified that the ID token returned by Azure contains the

groups

claim, so that's all good. But when I try to load DataHub, I get a

302 Bad Gateway

when the callback is called (see screenshot). I can't see any meaningful error in the frontend logs (both normal and debug logs). Have you guys seen this? Just to be clear, I am not using the Azure AD source to ingest users and groups, I'm simply trying to authenticate a user with the following settings:

- name: AUTH_JAAS_ENABLED
        value: "false"
      - name: AUTH_OIDC_SCOPE
        value: "openid profile email"
      - name: AUTH_OIDC_JIT_PROVISIONING_ENABLED
        value: "false"
      - name: AUTH_OIDC_PRE_PROVISIONING_REQUIRED
        value: "false"
      - name: AUTH_OIDC_EXTRACT_GROUPS_ENABLED
        value: "false"
        # Required Configuration Values for OIDC:
      - name: AUTH_OIDC_ENABLED
        value: "true"

My user already exist in DataHub, so no need to JIT provision it. How did you guys got this to work?