Entra SSO User Group Not getting Admin Roles
I just migrated to 1.43 and SSO is working to login. The user group in Homarr has the same name as the Group in Entra. The group in Homarr is set to be an administrator. But my user, which is a member of the Entra group, cannot see any of the admin functions.
Running in Docker on Synology DSM 7.1
Homarr Version 1.43.0
Current env variables are as follows
AUTH_PROVIDERS=oidc,credentials
AUTH_OIDC_AUTO_LOGIN=false
AUTH_OIDC_ISSUER=https://login.microsoftonline.com/tenant-id/v2.0
AUTH_OIDC_CLIENT_SECRET=secret
AUTH_OIDC_CLIENT_ID=id
AUTH_OIDC_CLIENT_NAME=Azure
AUTH_OIDC_SCOPE_OVERWRITE=openid email profile
AUTH_OIDC_GROUPS_ATTRIBUTE=roles
AUTH_OIDC_ADMIN_GROUP=guid
AUTH_OIDC_OWNER_GROUP=guid
Solution:Jump to solution
I managed to get this working after rebuilding the container and skipping the migration. Then removing the credentials from the Auth Providers so only SSO is allowed. FInally settingt he Group name in Homarr to the group UUID from azure. After that I am now getting the correct permissions from the group.
5 Replies
Thank you for submitting a support request.
Depending on the volume of requests, our team should get in contact with you shortly.
⚠️ Please include the following details in your post or we may reject your request without further comment: - Log (See https://homarr.dev/docs/community/faq#how-do-i-open-the-console--log) - Operating system (Unraid, TrueNAS, Ubuntu, ...) - Exact Homarr version (eg. 0.15.0, not latest) - Configuration (eg. docker-compose, screenshot or similar. Use ``your-text`` to format) - Other relevant information (eg. your devices, your browser, ...)
Frequently Asked Questions | Homarr documentation
Can I install Homarr on a Raspberry Pi?
1. You can remove the two env variables for admin and owner
2. Do you have a group in homarr called guid? If not, this is missing
3. Do you have a app registration role or just a group in entra? If you have a role everything is fine, if you have a group, you'll need to remove the group overwrite and use the uuid of the group or create a role for the app registration
Sorry, guid was just a placeholder for the purpose of this post. The group name is homarr-admin, and it exists in both places.
For the app registration role, are there any guidelines or recommendations for how that role should be configured for use with homarr?
No there is no specific recommendation. So you have a group or role in entra?
Solution
I managed to get this working after rebuilding the container and skipping the migration. Then removing the credentials from the Auth Providers so only SSO is allowed. FInally settingt he Group name in Homarr to the group UUID from azure. After that I am now getting the correct permissions from the group.