TeamCity plugin which supports authentication via Microsoft Azure Active Directory.
The plugin is compatible with TeamCity server 10.0+
Download the plugin and install it as an additional TeamCity plugin.
Register a new Azure Active Directory application for your TeamCity server with the following parameters:
Parameter | Value |
---|---|
Application type | Web |
Redirect URIs | %TEAMCITY_URL%/overview.html |
%TEAMCITY_URL%/aadAuth.html |
Note: Redirect URIs could be set in the application settings (Authentication\Web).
Add the 'Microsoft Azure Active Directory' HTTP authentication module to your authentication configuration.
Specify valid 'OAuth 2.0 authorization endpoint (v1)' and 'Application ID' retrieved from the Azure Portal.
Note: The OAuth 2.0 authorization endpoint URL could be retrieved from the Endpoints available on the App registrations page in the Azure portal. 'OAuth 2.0 authorization endpoint (v2)' is currently unsupported).
After that the 'Log in using Azure Active Directory' link will be available on the Login page.
After successful authentication browser will be redirected to '%TEAMCITY_URL%/overview.html' page by default. This prevents TeamCity from automatic switching to the new UI.
To fix that:
- In the application setting on Azure portal add a new endpoint:
%TEAMCITY_URL%/aadAuth.html
to Redirect URIs list - Specify the internal property
teamcity.aad.endpoint.type=dedicated
Property should be set after applying changes to Azure portal. No TeamCity server restart is requred.
Authentication fails with HTTP 403: Origin https://login.microsoftonline.com
To fix that, specify the internal property rest.cors.origins=https://login.microsoftonline.com
403 Forbidden: Responding with 403 status code due to failed CSRF check: request's "Origin" header value "null" does not match Host/X-Forwarded-Host header values or server's CORS-trusted hosts, consider adding "Origin: %TEAMCITY_URL%" header.
Modern browsers can set Origin: null
and Upgrade-Insecure-Requests
headers while replying from HTTPS Azure endpoint to the HTTP URL of the TeamCity server due to security reasons.
Possible solutions:
- Use HTTPS for TeamCity server and specify it in the Azure AD application settings
- For testing, you can specify the internal property
rest.cors.origins=null
(insecure, don't use it in production)
This plugin uses the OAuth 2.0 OpenID Connect authentication protocol and works as follows:
- receives the UID, e-mail, username of the AD user the from the specified Azure AD
- looks for an existing TeamCity user for the received UID; and if found, authenticates this TeamCity user
- if allowed by the scheme options, tries to find a TeamCity user using the given e-mail and marks it by UID
- if the user was found and user details synchronization is enabled, it will update the user data
- if the user is not found and user creation is allowed, a new TeamCity user is created; the e-mail is set as the username for the newly created TeamCity user.
This project uses gradle as the build system. You can easily open it in IntelliJ IDEA or Eclipse.
Issue the build
command from the root project to build your plugin. The resulting package will be placed in the distributions
directory.
Please follow IntelliJ Coding Guidelines.
Please submit your questions/bugs/feature requests in the issues.
Note: This is not a bundled plugin, please do not use the TeamCity official channels to provide feedback for this plugin.