Hi all,
I have moved our open ondemand install to use Entra over the weekend and that’s where I noticed some behavior I did not expect. For reference this is my auth section in ood_portal.yml.
auth:
- "SSLRequireSSL"
- "SSLOptions +StdEnvVars"
- 'AuthType openid-connect'
- 'Require claim groups:SOME_GROUP_IN_AD'
- "AllowOverride AuthConfig Limit"
- "Order allow,deny"
- "Allow from all"
Our Require limits is supposed to limit who can login and is following advice at Microsoft Entra ID (Azure AD) · OpenIDC/mod_auth_openidc Wiki · GitHub . I found out that the line Require was copied in all the location of the apache configuration file. This is expected from the template.
However, with this require line, the ondemand dashboard would not display, I had some error message about user authorisation. It only displayed once I replaced the Require line in the pun location with valid-user
<Location "/pun">
SSLRequireSSL
SSLOptions +StdEnvVars
AuthType openid-connect
Require valid-user
AllowOverride AuthConfig Limit
Order allow,deny
Allow from all
I had to make the same change to the Require lines for the node and rnode for applications to be able to forward me normally from a node.
We are currently still at ondemand 3.1.10.
Is it a bug in this version? Should it just work or should the template be adjusted?
Cheers,
François