Azure SSO via OIDC

Set up Azure SSO for OIDC

Set up SSO for Azure using OIDC. For a general overview on OIDC, see Setting up OIDC Federated SSO.

Set up OIDC SSO for Azure in Codefresh by:

  1. Registering the Codefresh application in Azure
  2. Configuring permissions for the Codefresh application in Azure
  3. Creating the Client secret in Azure
  4. Completing SSO configuration for Azure in Codefresh
  5. Configuring redirect URIs in Azure

Prerequisites

Make sure that your user in Azure who creates the application is assigned either of these roles:
Application Administrator
OR
Global Administrator

If the user who creates the Azure application is not assigned to either of these roles, you will be unable to sync teams from Azure to Codefresh.

Step 1: Register the Codefresh application in Azure

To setup Azure Active Directory for SSO, first register a new application in Azure.

  1. Log in to the Azure Portal, and from the sidebar, select Azure Active Directory.

Azure Active Directory

Azure Active Directory
  1. From the sidebar, select App registrations, and then click + New registration.
  2. Enter a name for the application, for example, Codefresh, and retain the default values for all other settings.

Enter name and register application

Enter name and register application
  1. To apply your changes, click Register. The application is created and registered in Azure AD.
  2. Continue with Step 2: Configure permissions for the application in Azure.

Step 2: Configure permissions for the application in Azure

Once the application has been created and registered, configure the required permissions.

  1. Click the name of the application to open Settings.
  2. Do the following:
    • Select API permissions, and then click + Add a permission.
    • From Request API Permissions, select Microsoft APIs, and then select Microsoft Graph.

Select Microsoft Graph

Select Microsoft Graph
  1. Click Application permissions on the left.
    • Add Group > Read.All
    • Add User > Read.All
  2. Next add Delegated permissions on the right
    • Add User > Read.All

    NOTE
    The User.Read (Delegated) permission is added by default.

Full permissions for Microsoft Graph.

Full permissions for Microsoft Graph
  1. Click Add Permissions.
  2. Click Grant admin consent for Default Directory on the bar.
  3. Continue with Step 3: Create client secret in Azure.

Step 3: Create client secret in Azure

Create a client secret for the application. You will need to provide it when you set up SSO for Azure in Codefresh.

  1. From the sidebar, select Certificates & secrets, and then click + New client secret.

Create client secret

Create client secret
  1. Optional. Add a meaningful description for the client secret, and either retain the default expiry date or define a custom one.

Description for client secret

Description for client secret

TIP
Make a note of the expiry date in your calendar to renew the key before the expiry date and prevent service interruptions.

  1. Click Add.
    Copy the secret key, as you will need to provide it on setting up Azure SSO in Codefresh.
  2. Continue with Step 4: Configure SSO settings for Azure in Codefresh.

Step 4: Configure SSO settings for Azure in Codefresh

Configure SSO for Azure in the Codefresh UI.

Before you begin

  • From Azure AD:
    • Have your client secret handy
    • Go to tAzure Active Directory > Enterprise Applications and select the app you created, and note down these Properties: Application ID and Object ID

Application and Object IDs in Azure

Application and Object IDs in Azure

How to

  1. In the Codefresh UI, from the toolbar, click the Settings icon.
  2. In the sidebar, from Access & Collaboration, select Single Sign-On.
  3. Click Add Single Sign-On, and select Azure, and click Next.
  4. Enter the following:
    • Client Name: For auto-generation, leave empty. Codefresh generates the client name once you save the settings.
    • Display Name: Meaningful name for the SSO provider. This is the name shown in Azure.
    • Application ID: The Application ID from your Enterprise Application Properties in Azure AD.
    • Client Secret: The key value you copied when you created the client secret in Azure.
    • Tenant: mycompany.onmicrosoft.com or the ID of 0example1-0000-0aa0-a00a-1example0
    • Object ID: The Object ID from your Enterprise Application Properties in Azure AD.
    • Auto Sync users and teams to Codefresh: Select to automatically sync user accounts in Azure AD to your Codefresh account. Optionally, define the time interval, in hours, at which to sync, from 1 to 24. If you don’t specify an interval, the sync is every 12 hours.

SSO settings for Azure in Codefresh

SSO settings for Azure in Codefresh
  1. Click Save.
    If you left the Client Name empty, Codefresh generates one (see example below). Codefresh uses this name to identify the SSO configuration.
    You will need this value as the Reply URL setting in the Azure portal.

Example of Codefresh-generated Client Name for Azure

Example of Codefresh-generated Client Name for Azure
  1. Continue with Step 5: Configure redirect URIs in Azure.

Step 5: Configure redirect URIs in Azure

As the final step, add the Codefresh callback URL to the allowed reply URLs for the created application in Azure.

Before you begin

  • Make sure you have the Client Name for the Azure SSO configuration from Codefresh

How to

  1. Go to Azure Active Directory > Apps registrations, and select the application you registered for SSO.
  2. From the sidebar, select Authentication.
  3. Below Platform Configuration, click Add a platform and then select Web.

Select Web configuration settings

Select Web configuration settings
  1. In the Configure Web form, do the following:
    • In the Redirect URIs field, enter the redirect URI in the format below:
      https://g.codefresh.io/api/auth/<your_codefresh_sso_client_name>/callback
      where:
      <your_codefresh_sso_client_name> is the Client Name shown in the SSO configuration, either defined by you or created by Codefresh.
    • Select ID tokens.

Web configuration settings

Web configuration settings

Step 6: (Optional) Configure for Azure Initiated Login.

  1. Go to Azure Active Directory > Apps registrations, and select the application you registered for SSO.
  2. From the sidebar, select Branding & properties
  3. In the Home page URL field, insert the following https://g.codefresh.io/api/auth/<your_codefresh_sso_client_name>

Web configuration settings

Web configuration settings
  1. Go to Azure Active Directory > Enterprise Applications, and select the application you registered for SSO.
  2. Under Properties, toggle Visible to users to yes.
  3. Now the app can be added to a Collection for My Apps page for Azure Initiated Login.

You have now completed the SSO setup for Azure using OIDC.

Federated Single Sign-On (SSO) overview
Common configuration for SSO providers