No internet connection
  1. Home
  2. Issues

SSO/AzureAD & require verified email

By Jeff M @phoenix
    2020-11-30 22:45:59.777Z

    We have SSO working with Azure AD. We disable Require verified email, but new users still get the message dialog that they will need to click an email verification link. Users are still able to login and use without a verification email (e.g., disabling Required verified email does work properly).

    • 4 replies
    1. KajMagnus @KajMagnus2020-12-01 07:43:36.545Z2020-12-01 07:54:36.471Z

      There's a field trustVerifiedEmail in the IDP JSON config, and if you set that to true, and the identity provider (Azure AD) sets the OIDC user-info field email_verified to true (maybe Azure doesn't?),
      then Talkyard will know that the email addresses it gets from Azure AD has been verified, and won't send any email addr verification email.

      Possibly something more than this is needed — for example, if Azure AD won't set email_verified: true.
      Maybe there could be a list of email domains with known verified email domains.
      So you can type, which would tell Talkyard that all logins via that AzureAD and email * have been verified already.

      I'm about to add OIDC auto tests now soon, and as part of that I can create an Azure AD tenant and try these things out.

      You use Azure AD B2B right? (not B2C?)

      1. PJeff M @phoenix
          2020-12-01 15:05:25.318Z

          The field trustVerifiedEmail is set to true. The email_verified is also set to true. It still sends a verification email & gives a dialog to check for it. Please note, the user can log in properly a second time. The user does not have to actually verify the email.

          We are not sure of the validity of email_verified.

          Appreciate you trying it out on Azure AD. Confirming we use Azure AD B2B.

        • In reply tophoenix:

          Update: I'm adding a new Identity Provider setting: emailVerifiedDomains, which one can set to one's company's email domain(s), for example: — then, Talkyard will know that [email addresses ending with] have been verified, and will skip verifying such addrs.

          Apparently Azure AD doesn't include the email_verified: true/false OIDC claim, so that's why Talkyard doesn't know if an email addr has been verified or not, and wanted to verify the addr itself. Azure has another OIDC claim instead, verified_primary_email but oddly enough, looking at the Azure docs, it's unclear to me if it has always been verified or maybe sometimes not.

          Other software apparently have the same "problem" with Azure:
          e.g. Auth0: — they've added a Email Verification setting that sets email_verified to always true, or always false. Which I wonder if that's a bit risky — what if some time collaborators are invited from "outside", and they appear in the AD, and some of them haven't had their email addresses verified. So a list of email-verified domains (like, one's own company's domain) seems safer to me. Possibly ** to allow anything.

          And a company called Quilk writes: (here)

          Microsoft Azure AD OIDC configurations do not send standard OIDC claims like email_verified

          1. In reply tophoenix:

            @phoenix Now there's a new OIDC JSON configuration field: "emailVerifiedDomains": ""
            and it'll make Talkyard assume emails like have been verified,
            e.g. only the employees (or contractors) working for the company, get such an email address.

            (This field: trustVerifiedEmail needs to be true too.)

            Your server should have auto upgraded last night to version v0.2020.32 (you can check here: https:// server addr /-/build-info).

            1. Progress
              with handling this problem
            2. @KajMagnus marked this topic as Started 2020-12-07 05:03:56.002Z.