Dependency Track with Azure AD OpenID Connect

19 min readDec 21, 2021

In this article, I will cover how you can implement Azure AD OpenID Connect on your Dependency Track Solution to manage the Identity and Authorization.

Our Roadmap:

So, to begin, we will first set up our Azure AD. We will create the users, create security groups, register the necessary applications, assign those applications a redirect URL and the essential information for the tokens.

We will then create our Dependency Track Database and set up our Azure Web App Containers.

We will create and configure two containers, one for the Dependency Track API and another for the Dependency Track FrontEnd.

To finish this article, we will configure the Dependency Track Solution to automatically give our Azure AD users permissions based on their groups!

Before we begin..

I have another article in which I talk more in-depth about Dependency Track, how you can set it up, and how you can implement it in your Azure DevOps Pipelines and export your BOM report file into Dependency Track to be analysed.
In case you are interested, you can give it a look: https://medium.com/devroot/deploying-dependency-track-as-a-container-in-azure-and-building-a-pipeline-with-azure-devops-ab1627961114

…So, let’s finally begin!

Azure AD Set up

Before going to all the YAML files and whatnot, let’s start from what is the essential part of this process, which is the identity and access management service that will handle our Authentication and Authorization

Go to Azure -> Create a Resource and search for Active Directory and click Create

In the next page choose your tenant type, for this tutorial we will go with the Azure AD

After choosing the Tenant Type, go to the Configuration Section and select an Organization name, Initial domain name and Country/Region.

Go to Review + Create and click Create. It will take a little bit to create the Azure AD.

After creating the new tenant, navigate to it, clicking on the link provided at the end of the creation process.

After that, you’ll be met with this screen which is your Azure AD tenant.

On the left pane, click in the App Registrations

Click in the New Registration

After that, we will be presented with a screen to create our App Registration.
Choose the Name, the Account Type, you can leave the Default value, and in Redirect URI, change it to SPA(Single-Page-Application) and leave it blank.

We’ll get back to the Redirect URI when we set up our Web App’s, so don’t worry!

After everything is nice and steady, click Register.

After the Registration of our Application, we should be presented with the following User Interface:

On this interface, you’ll need to save the value of your Application (client) ID to a notepad, and you’ll also need to do it for your Directory (tenant) ID. We’ll need to use these values for our YAML files to set up our containers.

Now that we have all the information that we need, go back to the Active Directory main menu

We will now create a Security Group for our users to be in. This Security Group will then be used by Dependency Track. We will make the Group in our Active Directory, assign the desired Group to the User and then later in the article, we will configure this Group to work in Dependency Track.

So, to create the Security Group, let’s click on the Groups option. It’s on the left pane underneath the Manage section and let’s begin creating a Security Group in our Active Directory.

Select the New Group option

Let the default value of the Group Type be “Security”, type your Group Name and a Description for the group.
Keep in mind that we are creating a Security Group for the Users that will Administer Dependency Track. You can create as many Security Groups as you want with different tasks to manage your Dependency Track Application.

I will leave the Owners and Members empty, as I don’t have any Users to add yet, and I don’t mind having this group without an owner.
If you already have users you wish to add to this group, you can add them.

After you fill everything, click on the Create button to create the Security Group.

Wait a little bit for the group to be created, and once it is made, get the Object Id of it and save it on a notepad for future use.

So, with the Security Group created, let’s jump to the User Creation.
Go back to the Organization Main menu.

Click on the Users options. It’s on the left pane underneath the Manage section and let’s begin adding a user to our Active Directory.

Keep in mind that this part is only if you created a brand new Azure AD Tenant or don’t have any Test Users. If you already own one with some Test Users, you can use them and skip this part.

You’ll be met with a User Interface that will show all the users of your Azure AD.
Click on the New User button

Choose a Username, which will be the email you will use to sign in.

Choose a Name, First name and Last name.

You can either auto-generate the password or create a password. For this example, I will use an auto-generated password. Anyway, make sure that you don’t forget it, you’ll need it.

If you scroll a little bit down, you’ll see the Groups and Roles tab and click on the blue text that says 0 groups selected.

You’ll be presented with the groups that you have in your Azure AD.
Just choose the Security Group you created previously for the Dependency Track Administrative Users. For this example, it will be DTAdmin.

It should tell you that you have 1 group selected in the Groups and roles tab.
If so, you can just click on the Create option.

So, we are basically done with the Azure AD set up. We will need to comeback to set the Redirect URL, remember, it’s not yet set but we’ll get that done in the next chapter of this Article, which is making the Container Web App’s for Dependency Track to work.

From this point on, you should have this information by your side:
✓ Application (client) ID
✓ Directory (tenant) ID

Those 2 ID’s should have been noted when you registered you Application in your Azure AD, keep in mind that these values ARE MANDATORY AND CRUCIAL to have.

You should also have:
✓ A Security Group Created
✓ The Object Id of the Security Group
✓ One or more Users created and associated to the Security Group that you created
✓ Username and Password to login with the created Users

If you have all this, you are good to continue to the next chapter, if not, please, go back and try to gather all that information, ANYWAAAAAAAAAAAAAAAY, to next chapter we’ll go!

Azure Container for Web App set up

In this article, we will be creating two web applications.
The first one will be the API, and the second one will be the Frontend for Dependency Track. We will also need to create a database for our API to have all the necessary data for Dependency Track to work.

If you worked with older versions of Dependency Track, you might remember that they didn’t have this Separation of Concern where the Backend was decoupled from the Frontend.

Anyway, we will need to have some configurations for our containers to run Dependency Track smoothly.

Container Requirements (API Server)

Minimum:
4.5GB RAM
2 CPU cores

Recommended:
16GB RAM
4 CPU cores

Container Requirements (Front End)

Minimum:
512MB RAM
1 CPU cores

Recommended:
1GB RAM
2 CPU cores

For the Database in this article, I’ll go with SQL Server on Azure with 20GB of space.
You will need a SQL Server Driver for JDBC.
You can download the jar file from this link: https://www.microsoft.com/en-us/download/details.aspx?id=100855
We’ll be using the mssql-jdbc-8.2.2.jre8.jar for this Article.

…With all this information out of the way, let’s start by creating our Database in Azure.

Beware that you’ll need to switch to your main tenant that will have your Subscription where you can freely create your Resources.

Go to Azure -> Create a Resource and search for SQL Database and click Create

You will need to select a Database Name. After that you will need to create a server, by clicking the Create new option
Make sure that you remember the Admin Login and Password that you’ll be setting. With all the information set up, just click OK

Now, let’s configure the database Compute + Storage
Click on Configure Database and choose the plan that applies for you, for this article, I’ll go with the Standard with 20GB
After you choose your plan, just click Apply.

After this is all done, just click Review+Create and then click Create and wait a little bit, it will take a while to create the Database.
When it’s finally created, click on the button Go to Resource.
You’ll be met with the Azure Database User Interface. Click on the option Set server firewall

For this article I will set a Firewall Rule which will let ALL the IP’s connect to my Database.
This is only for the article and you shouldn’t do this in a “real life” scenario.
You need to give a name to the Rule, the Start IP which will be 0.0.0.0 and the End IP which will be 255.255.255.255
After that’s done, click Save.

Now that this is out of the way, let’s look at our first YAML File for our API container, which we will need to configure with the Client ID’s and Tenant Id’s of our Application Registration, as well as the Database Connection and the SQL Server JDBC Driver path.

In this YML file, you will need to change some configurations, to begin with, let’s start with the Database.

You will need to change ALPINE_DATABASE_URL configuration to have your Database information.
<your-server-name> is your server name
<your databasename> is your database name

After that, you’ll need to change the value of ALPINE_DATABASE_USERNAME and ALPINE_DATABASE_PASSWORD.
<your-database-username>is your database name
<your-database-username-password> is your database password

To finish all this, we will now set up our OIDC connection, in this case, we are using the OIDC of Azure AD.
Remember those values that we had in the Azure AD section, the
Application (client) ID and Directory (tenant) ID, you’ll need them now!

You’ll need to change the value of ALPINE_OIDC_CLIENT_ID and ALPINE_OIDC_ISSUER.
<Application (client) ID> is your Application (client) ID
<Directory (tenant) ID> is your Directory (tenant) ID

After that’s all set and done, we are ready to deploy our YML File to Azure to create our Web App!

Go to Azure -> Create a Resource and search for Container Registry and click Create

Choose a Resource Group and a Registry Name and leave the rest as default values. You can click the Review + create button and Create.

Go to the Resource and then click Access keys

Click on the Radio Button to Enable the Admin User option, which will generate two password and a Username, don’t worry about them.

Now, we can FINALLY create our Web Application.
Go to Azure -> Create a Resource and search for Web App for Containers and click Create

Once again, choose a Resource Group, a Name for your Web App, I’ll go with dependencytrackapi.
Choose the publish option Docker Container and the Operating System Linux.
Choose the Region that suits you the best, I’ll choose the best for me, which is West Europe.

Scroll down and you’ll find the App Service Plan, which we will modify.
Click on the Change Size option.

For this article, I will pick the P2V2 Tier, you can choose whatever you want, just make sure that it has the recommended specs for Dependency Track API Server to run.
Click Apply.

After you’ve done everything, scroll up and select the Docker option

For the Options, select Docker Compose (Preview), for the Image Source select Azure Container Registry, select your Azure Container Registry and then select the YML file that you modified at the beginning.

After all this is done, you can click on the Create + Review and then Create.
It will take a while to finish, as soon as it finishes, go to Resource.

When you go to your Web App, Stop the application.

Go to the Configuration Section. We will need to edit and add some values.

Configuration Name: WEBSITES_ENABLE_APP_SERVICE_STORAGE

For our container to know that we are using a Volume Storage and to link them between our Application Service and Container you will need to change it’s value to “true”, since the default value is set to “false”.

Configuration Name: WEBSITES_CONTAINER_START_TIME_LIMIT

We will need to create this configuration in order for our application to run and don’t timeout when the container image is building. Since Dependency Track has a slow image build(Takes around 20/25 mins to create) we need to create this configuration and set it’s value to “4000” which translates to our container having 1 hour to start!
Save your configurations and you can start the application!

It will look something like the image below:

Save the changes and we are all done here.

Now let’s hop into the Deployment Center tab and get our credentials for our FTPS connection in which we will use to create our folders and upload our driver.

I will be using FilleZila to do this, you can use whatever you like.
Once you have the credentials you will need to login with them in FileZilla.
The Host is your FTPS Endpoint. The username and Password are really self explanatory.
Click Quickconnect

You will be able to login and you will have this folder on your remote site.

In our YML File we have set that our directory for our database driver will be /wwwroot/data/extlib. We will only need to create “/data/extlib/” inside of /wwwroot and upload our driver to /extlib/

Our YML File states that our Database Driver file will be named driver.jar

NOTE: You need to set the filepath the way you set it in the YML File, in my case, I set it this way, but you are free to do as you like!

You should end with something like the image above:

With this all set and done we are ready to start our Web Application.
Go to your Web Application and click the Start Icon

Now you will need to wait 30/40 minutes for Dependency Track to create and seed your Database and to do all the needed work.
If you get an error 502 when going to your API after those 30 minutes or you get any sort of error in the Log Stream after the NPM update is complete, try stopping the web app and starting again. Sometimes it can take more than 30 minutes for the Dependency Track to build up and the maximum time your App can wait for it is 30 minutes.
Also, if you go to your Log Stream and it says “Server Error” or something like that, just Delete the Web Application and create a new one.
It is very rare that this can happen, but if it does, keep that in mind!

Anyway, after you wait, your database should look something like this:

Now let’s complete our final requirement which is getting the Front End of Dependency Track up.
We will need the following YML file:

We will need to make a few changes to this YML File.
You will need to change <YOUR DEPENDENCY TRACK API URL>to your Dependency Track API URL, so, it’s basically the first Web App that we created.

And that’s all, we have our Front End YML configured, we can now jump to Azure and create a new Web App for Containers.

Go to Azure -> Create a Resource and search for Container Registry and click Create

Once again, choose a Resource Group, a Name for your Web App, I’ll go with dependencytrackfrontend.
Choose the publish option Docker Container and the Operating System Linux.
Choose the Region that suits you the best, I’ll choose the best for me, which is West Europe.

Scroll down and you’ll find the App Service Plan, which we will modify.
Click on the Change Size option.

Since it’s the Frontend container, I will choose a lower tier, for this example, I will choose B2, you can choose whatever you want, just make sure that it has the recommended specs for Dependency Track API Server to run.
Click Apply.

After you’ve done everything, scroll up and select the Docker option

After all this is done, you can click on the Create + Review and then Create.
It will take a while to finish, as soon as it finishes, go to Resource.
After we go to the Front End Page, we will need to set the Redirect URL in our Azure AD.
You will need to copy the URL from your Web App, which you can see it here:

Go back to your Azure AD Tenant.
You can do that by going to your Top Right Account Icon and then clicking on the Switch Directory option

You’ll see a page with all the directories that you have available on your Azure Account, just switch to the one that has your Azure AD.
After that, go to the App Registration option on the left pane.

Click on your Registered Application

Go to the Authentication Tab and then click Add a platform

On configure Platform, choose Single Page Application(SPA)

On the redirect URI, you will need to add this:
https://<YOUR FRONT END APP URL>/static/oidc-callback.html?redirect=/dashboard where you need to change <YOUR FRONT END APP URL> to your Front End Web App URL
You will also need to check mark the Access Tokens and ID Tokens options.
After all that is done, just press Configure.

After that redirect URL is added, add another one. Sometimes, for me, in certain browsers, I need to have both redirect URL’s, otherwise, it won’t redirect.

Add the following Redirect:https://<YOUR FRONT END APP URL>/static/oidc-callback.html

Now go to Token Configuration on the left pane and click Add Group Claims

Make sure to tick the options as the image below and click Add

You should end up with something like this

Now, you can finally go to your Dependency Track Front End. It will be something like this.

The default username is admin and password is also admin.
When you first login, you are requested to change your admin password, just do it and you’ll be met with this screen:

Click on the Administration icon on the left:

Once you are in the Administration Screen, click on the Access Management option and then go to OpenID Connect Groups

Now click on the Create Group option

Now we will name our Group with our Security Group Object ID.
When you created the Security Group on the Azure AD Section, you had an Object ID for it, which you saved on your notepad. Well, to map the Dependency Track Group to the Azure AD Group we will use the Object ID as the name of our Dependency Track Group.
It will be something like this:

Once you create the Group, click on it to expand the Options, you’ll see an option named Mapped Teams. Click on the plus sign to show the teams that are available.

Choose a Team that you which to give to this Dependency Track group. Since I am creating a Administrator Team, I will go with the Administrators Option.

Once that’s all done, you can log out of Dependency Track and you can click on the OpenID button to Log In.

You should encounter a Microsoft Sign In, which will ask you for a Username and Password.
Remember the Test User that we created in the Azure AD Section? You will use him here.
Just type the email that was assigned to your Test User and Password. Beware that you’ll probably be asked to change the password.

Once you Log in, it will ask for your consent for the application to read your information. This information will be used and managed by the Dependency Track Application.
Just click Accept, and it should redirect you to your Dependency Track Application.

Once you are redirected, you should be Logged in with the User in the Security Group that you created.
If, for some reason, it doesn’t redirect, try to log in again, sometimes it freezes, and it doesn’t do the hop to the application.

Now you have an account that is logged in via Azure AD with the permissions assigned based on the Azure AD Security Group.

To end this article…

I want to say that you can do your Dependency Track set up as you want or like it. I chose to do it this way, with two containers, because it was easier to configure and understand for me.
As you saw in the article, we created one Security Group for Administrators. Still, you can have as many groups as you want, you need to make sure to configure them in Dependency Track, and when your Users log in with OpenID, they will have the proper permissions based on the group they are in. This makes User Management much easier!
I hope you guys liked it. I’ve learned a lot trying this solution, and connecting my Azure AD to Dependency Track was a hell of a challenge!

As stated before, I have an article that goes deeper into the set up of Dependency Track, it’s the old one, but you’ll see that is basically the same thing with the difference of the SoC of the API and Frontend.
You can find the article here: https://medium.com/devroot/deploying-dependency-track-as-a-container-in-azure-and-building-a-pipeline-with-azure-devops-ab1627961114

I hope that you guys liked this article and I hope it was helpful!