magedevgroup/module-admin-sso-azure
Composer 安装命令:
composer require magedevgroup/module-admin-sso-azure
包简介
Microsoft Entra ID (Azure AD) provider plugin for Magento 2 admin SSO — supplies the Entra OIDC preset (discovery, groups claim, branding) for the provider-agnostic admin-sso capability. Installs admin-sso (and sso-core) automatically.
README 文档
README
Microsoft Entra ID (Azure AD) login for the Magento 2 admin panel.
A thin Microsoft Entra ID provider plugin for the provider-agnostic admin-sso capability. It supplies the Entra OIDC preset — discovery from your tenant, scopes, groups claim, login-button branding — while all OIDC protocol lives in sso-core and all admin logic in admin-sso. Installing it pulls admin-sso and sso-core automatically.
Installation
composer require magedevgroup/module-admin-sso-azure bin/magento module:enable MageDevGroup_SsoCore MageDevGroup_AdminSso MageDevGroup_AdminSsoAzure bin/magento setup:upgrade
Register the Entra app
In the Azure portal → Microsoft Entra ID → App registrations → New registration:
- Supported account types — Accounts in this organizational directory only (single tenant). Multi-tenant admin login is not supported (see Tenant below).
- Redirect URI — platform Web, value = the
admin-ssocallback:https://<admin-host>/<admin-path>/adminsso/sso/callback(<admin-path>is the backend frontName, defaultadmin). It must match the admin URL used at runtime exactly. - Register, then copy the Application (client) ID and the Directory (tenant) ID.
- Certificates & secrets → New client secret — copy the secret value.
- Groups claim — for IdP-group → ACL-role mapping, Token configuration → Add groups claim, and emit it on the ID token. Without this Entra sends no groups and role mapping falls back to the default role.
Configuration
Admin → Stores → Configuration → MageDevGroup → Admin SSO.
General (magedevgroup_admin_sso/general/*):
| Field | Value |
|---|---|
| Enable Admin SSO | Yes |
| Identity Provider | Microsoft Entra ID |
| Client ID | Application (client) ID from the Entra app |
| Client Secret | client secret value from the Entra app |
Microsoft Entra ID (magedevgroup_admin_sso/azure/*, shown when Entra is selected):
| Field | Value |
|---|---|
| Tenant | Directory (tenant) GUID or a verified domain of your directory (single-tenant only) |
The discovery URL is derived from the tenant:
https://login.microsoftonline.com/<tenant>/v2.0/.well-known/openid-configuration.
Admin SSO is single-tenant only — the multi-tenant meta values common/organizations
advertise a templated {tenantid} issuer that never matches a real token, so they are
rejected.
Group → role mapping and enforce-SSO/break-glass are configured in admin-sso; see
that module's README.
Group overage limitation
Entra omits the groups claim when a user belongs to more than ~200 groups, sending
a _claim_names/_claim_sources overage reference to Microsoft Graph instead. v1
reads the groups claim directly, so such users get no group-based roles and fall
back to the default role. A Graph fallback is a future task. Keep affected admins
under the overage limit, or scope the groups claim (Token configuration) to the
groups assigned to the application.
Requirements
- Magento 2.4.x
- PHP 8.3 – 8.5
Part of the MageDevGroup identity suite
| Repo | Role |
|---|---|
sso-core |
Shared OIDC engine (installed automatically) |
admin-sso · admin-sso-<idp> |
Admin-panel SSO login |
customer-sso · customer-sso-<idp> |
Storefront SSO login |
admin-scim · admin-scim-<idp> |
Admin-user provisioning (SCIM 2.0) |
License
OSL-3.0 © MageDevGroup. Commercial licensing and support: https://magedevgroup.com.
统计信息
- 总下载量: 0
- 月度下载量: 0
- 日度下载量: 0
- 收藏数: 0
- 点击次数: 1
- 依赖项目数: 0
- 推荐数: 0
其他信息
- 授权协议: OSL-3.0
- 更新时间: 2026-07-09