MSAL

Auth - MSAL supports shared device mode from Microsoft. This connection supports Brokered authentication via MS Authenticator and Browser based authentication.

FieldDescription

client_id

string The client ID used to register this application in Azure AD.

authorization_user_agent

string Set to "DEFAULT".

redirect_uri

string The configured redirect callback URI for this application. For the MSAL library, the redirect must use the application ID and its signature. Use "msauth://com.bluefletch.ems.auth/KUKEusfKtqAOu9UB6jgjtTMKYas%3D".

authority_type

string Set to "AAD" for Azure AD.

authority_url

string The directory from which MSAL can request tokens. Typically, set to "https://login.microsoftonline.com/<audience_tenant_id>", where <audience_tenant_id> is the Azure Tenant ID.

logout_url

string Set to "https://login.microsoftonline.com/common/oauth2/logout?post_logout_redirect_uri=https%3A%2F%2Fwww.office.com%2F%3Fref%3Dlogout", which will also log the user out of office365.

limit_to_launcher_groups

boolean If set to true, only the groups identified in the group_inclusion and layouts in the launcher configuration file will be passed into the session.

scopes

string OIDC scope values required for the identity provider. For MSAL, the values should be "openid email profile User.Read GroupMember.Read.All".

audience_tenant_id

string Set to the Azure Tenant ID. Replaces tenant_id starting in Auth version 4.5.9.

shared_device_mode_supported

boolean Set to true if using the Microsoft Authenticator application in Shared Device Mode on the device. Default is false.

broker_redirect_uri_registered

boolean If true, brokered authentication is applied; the Auth module will validate the redirect URI and return an exception if the Auth module is not formatted to communicate with the broker. Set to true if using the Microsoft Authenticator application in Shared Device Mode on the device. Default is false.

limit_groups_to_direct_membership

boolean If set to true, only direct group membership information will be returned from Azure. If false, all inherited/related group information (indentified as transitiveMemberOf in Azure) is returned. Default is false. Introduced in Auth version 4.7.8.

ignoreAccountChangeBroadcast

boolean if set to true, Auth will ignore the change account broadcast coming from the shared device broker, and will prevent Launcher from performing a force logout when a user signs out from MS Edge or other MS application. Default is false, which is the Microsoft recommended setting. Introduced in Auth version 4.8.31.

audience_type

string If set, overrides the default audience type of "AzureADMyOrg".

default_group

string If set, is the default group assigned to a logged in user.

account_mode

string If set, overrides the default account mode of "SINGLE".

idpPasswordChangePolicyDays

string The number of days set in the IdP after which the password needs to be changed.

idpPasswordChangeReminderDays

string Number of days prior to password expiration to start notifying users of upcoming password expirations.

Auth4 Example:

...
"auth_msal" : {
    "client_id": "<client_id during registration>",
    "authorization_user_agent" : "DEFAULT",
    "redirect_uri": "msauth://com.bluefletch.ems.auth/KUKEusfKtqAOu9UB6jgjtTMKYas%3D",
    "authority_type": "AAD",
    "authority_url": "https://login.microsoftonline.com/<audience_tenant_id>",
    "audience_tenant_id" : "<audience_tenant_id>",
    "logout_url": "https://login.microsoftonline.com/common/oauth2/logout?post_logout_redirect_uri=https%3A%2F%2Fwww.office.com%2F%3Fref%3Dlogout",
    "limit_to_launcher_groups": true,
    "scopes": "openid email profile User.Read GroupMember.Read.All",
    "shared_device_mode_supported": true,
    "broker_redirect_uri_registered": true,
    "limit_groups_to_direct_membership": true
}
...

For more information on configuring, see the AppAuth/OIDC IdP section.

PreviousOkta (Session)NextADFS 3.0/2012 Using ADAL

Last updated