Hi, Naveen. If your Azure AD instance has LDAP interface, and if this interface can be accessed by your Gluu Server instance, the described scenario is achievable. Usernames your users will submit at Gluu's login page will be used to look up a corresponding user entry in AD, and then passwords will be verified with LDAP Bind operation. Please check [this doc](https://gluu.org/docs/ce/3.1.4/user-management/ldap-sync/) for more details.

Thank you for the response. We will explore the option of getting the LDAP protocol support for our Azure AD instance and we will try out the Gluu cache refresh option to sync the Azure AD users. Meanwhile, we also want to explore other possible options as well (apart from the LDAP sync option). We have this following scenario in mind and we would like to know if it is technically achievable (point 4) from Gluu Custom script perspective. 1) Assumption: The Azure AD users are not synced with Gluu LDAP. 2) Once Gluu gets the login request, the user inputs the credentials in gluu login page and its sent to the custom script 3) From the custom Jython script, we validate the user credentials with Azure AD via Azure's REST API (Password grant flow) 4) If we get a success response from Azure AD, we need to create a user session in Gluu from the custom script. Since there won't be a matching user record in Gluu LDAP, is it possible for us to manually create a user session in Gluu from the Custom Script?

Hi, Naveen. The scenario you describe is surely possible, assuming you are ready to implement the step 3) yourself. There is a caveat, though: Gluu Server expects that for each user who tries to log in at it there is a locally stored user entry in LDAP. In scenario with Cache Refresh it will create those for you. If you can't pull users from AD into Gluu via LDAP, then you'll have to implement user's auto-enrolment in your custom script. The easiest way to achieve what you need would be by taking a Jython script called "Basic" (it's a script which effectively duplicates LDAP bind authentication flow) and rewrite its part which deals with credentials' verification by adding code which calls required APIs. Then, you would need to also add code which deals with auto-enrolment. We actually have a few scripts which do auto-enrolment, so you could research them and borrow code you need. In other words, it's quite possible, assuming you are ready to invest some time into coding your solution, and you have somebody on your team with required coding skills. Please also note that we usually don't assist with a complex tasks like this within the scope of Community Support, so you'll be mostly on your own, unless you plan to purchase a support contract from Gluu any time soon.

Hi, Aliaksandr. Thank you for sharing the helpful information. Will explore the user auto-enrollment scripts and we will try to develop a custom script to acheive this scenario.

Update: I was able to implement the custom Jython script solution to achieve Azure AD based authentication in Gluu (with users from Azure AD auto-enrolled into Gluu LDAP) Thanks again for your support!

Hi, Naveen. Glad to hear, hope your experience with Gluu products has been satisfactory so far. Also, feel free to share your script with the rest of community if your company's policies allow that. We could add it to our public custom script library, with your permission.

Hi, Aliaksandr. Happy to share the script with the Gluu community. I have created the below pull request to add this "AzureADAuthenticationForGluu.py" script to Gluu's public custom script library. https://github.com/GluuFederation/oxAuth/pull/953 Please review and do let know if any additional information is required from my end. Thanks, Naveen

Hi, Naveen. Thank you for helping to make Gluu Server better for everyone, we really appreciate your contribution to the project. We'll review your request and then add the script to our library (with all due authorship references, of course).