Single Sign On (SSO)
Mission Control uses kratos for identity management. Login via email/password is the default flow but any OIDC provider supported by Kratos can be used
See Providers more details on supported providers.
Microsoft Entra (Azure AD)
Create a new Azure AD App Registration
- Record the
Client ID(Application ID) in the Overview page - Add an allowed redirect URI of
https://ingress/api/.ory/self-service/methods/oidc/callback/microsoft - Token Configuration
- Add the email optional claim
- Add a
groups claimif you want to map Azure AD Group Membership to roles in Mission Control
- Certificates & Secrets
- Create a new
client secret
- Create a new
- Record the
Get the
Tenant ID(Directory ID`) from DirectoriesCreate a Jsonnet claims mapper
Jsonnet is used to map the claims provided by Azure AD, to the Kratos Identity Schema
local claims = std.extVar('claims');
{
identity: {
traits: {
name: {
[if 'given_name' in claims then 'first' else null]: claims.given_name,
[if 'family_name' in claims then 'last' else null]: claims.family_name,
},
[if 'raw_claims' in claims &&
'groups' in claims.raw_claims then 'groups' else null]: claims.raw_claims.groups,
[if 'preferred_username' in claims then 'email' else null]: claims.preferred_username,
[if 'email' in claims then 'email' else null]: claims.email,
},
},
}
Create the
mapper_urlby Base64 encoding the jsonnet file and prefixing it withbase64://Update the helm values
values.yaml
kratos:
kratos:
config:
selfservice:
methods:
oidc:
enabled: true
config:
providers:
- id: microsoft
provider: microsoft
microsoft_tenant: # The Azure AD Tenant Id
client_id: #...
client_secret: #...
mapper_url: base64:// #base64 encoded mapper_url
scope:
- email
- openid
- profile