SSO/AzureAD & require verified email
We have SSO working with Azure AD. We disable Require verified email, but new users still get the message dialog that they will need to click an email verification link. Users are still able to login and use without a verification email (e.g., disabling Required verified email does work properly).
- KajMagnus @KajMagnus2020-12-01 07:43:36.545Z2020-12-01 07:54:36.471Z
There's a field
trustVerifiedEmail
in the IDP JSON config, and if you set that to true, and the identity provider (Azure AD) sets the OIDC user-info fieldemail_verified
to true (maybe Azure doesn't?),
then Talkyard will know that the email addresses it gets from Azure AD has been verified, and won't send any email addr verification email.Possibly something more than this is needed — for example, if Azure AD won't set
email_verified: true
.
Maybe there could be a list of email domains with known verified email domains.
So you can typecompanyname.com
, which would tell Talkyard that all logins via that AzureAD and email*@companyname.com
have been verified already.I'm about to add OIDC auto tests now soon, and as part of that I can create an Azure AD tenant and try these things out.
You use Azure AD B2B right? (not B2C?)
- PJeff M @phoenix
The field trustVerifiedEmail is set to true. The email_verified is also set to true. It still sends a verification email & gives a dialog to check for it. Please note, the user can log in properly a second time. The user does not have to actually verify the email.
We are not sure of the validity of email_verified.
Appreciate you trying it out on Azure AD. Confirming we use Azure AD B2B.
- In reply tophoenix⬆:KajMagnus @KajMagnus2020-12-07 05:01:03.608Z
Update: I'm adding a new Identity Provider setting:
emailVerifiedDomains
, which one can set to one's company's email domain(s), for example:@companyname.com
— then, Talkyard will know that [email addresses ending with@companyname.com
] have been verified, and will skip verifying such addrs.Apparently Azure AD doesn't include the
email_verified: true/false
OIDC claim, so that's why Talkyard doesn't know if an email addr has been verified or not, and wanted to verify the addr itself. Azure has another OIDC claim instead,verified_primary_email
but oddly enough, looking at the Azure docs, it's unclear to me if it has always been verified or maybe sometimes not.Other software apparently have the same "problem" with Azure:
e.g. Auth0: https://auth0.com/docs/connections/azuread-adfs-email-verification — they've added aEmail Verification
setting that setsemail_verified
to always true, or always false. Which I wonder if that's a bit risky — what if some time collaborators are invited from "outside", and they appear in the AD, and some of them haven't had their email addresses verified. So a list of email-verified domains (like, one's own company's domain) seems safer to me. Possibly**
to allow anything.And a company called Quilk writes: (here)
Microsoft Azure AD OIDC configurations do not send standard OIDC claims like
email_verified
- In reply tophoenix⬆:KajMagnus @KajMagnus2020-12-15 16:16:02.272Z
@phoenix Now there's a new OIDC JSON configuration field:
"emailVerifiedDomains": "yourcompany.com"
and it'll make Talkyard assume emails like...@yourcompany.com
have been verified,
e.g. only the employees (or contractors) working for the company, get such an email address.(This field:
trustVerifiedEmail
needs to be true too.)Your server should have auto upgraded last night to version
v0.2020.32
(you can check here:https:// server addr /-/build-info
). - Progresswith handling this problem