Azure (OIDC)
Setting Up Azure Single Sign-On (SSO)
In this page we will see the process of setting up Azure SSO with Codefresh. For the general instructions of SSO setup see the overview page.
Prerequisites
Make sure that your user in Azure has the Application Administrator or Global Administrator roles. If the user that creates the Azure application does not belong to either of these roles, you will not be able to sync teams from Azure to Codefresh after the SSO integration is complete.
We strongly suggest that the Azure user who creates the integration is part of Application Administrator or Global Administrator roles.
Creating an Application Registration
To setup Azure Active Directory for SSO, you should first create a new application in Azure AD. Login to Azure Portal and choose Azure Active Directory from the sidebar.
Then under the new sidebar, select App registrations.
Then click on the + New registration to add a new application.
Enter a name for the application (e.g. Codefresh), and leave all other options to default selection.
Click the Register button to apply your changes. The application registration is now created.
Configure the Permissions
Once the application has been created, you will have to configure the permissions. Click on the name of the application to open the Settings section.
Click API permissions.
Then click on the Add a permission button to change the access levels.
Find the Azure Active Directory Graph entry and click on it.
Click Application permissions (Delegated permissions are not enough in this case). From the list of permissions choose:
Directory.Read.All
Group.Read.All
User.Read.All
Note: User.Read for the type of delegated is required. This permission is usually added by default.
Finally click the Apply Permissions button.
Afterwards please click on the Grant admin consent button from the bar above.
Create Client Secret
Next select Certificates & secrets from the left sidebar:
Click on New Client secret and add a description (arbitrary name).
Choose the desired duration.
Note:. If you choose an expiring key, make sure to record the expiration date in your calendar, as you will need to renew the key (get a new one) before that day in order to ensure users don’t experience a service interruption.
Click on Add and the key will be displayed. Make sure to copy the value of this key before leaving this screen, otherwise you may need to create a new key. This value will need to be provided to Codefresh securely.
Enter details on the Codefresh side
Go back to the SSO settings screen described in the first part of this guide inside the Codefresh GUI.
You need to enter the following:
- Display Name - Shown as display name in Azure (see below)
- client id - shown as Application (client) ID in Azure (see below)
- client secret - the key value as created in the previous section
- tenant -
mycompany.onmicrosoft.com
or the ID of0example1-0000-0aa0-a00a-1example0
- Object ID - your Azure Service Principal Object ID (from Enterprise Application configuration, see below)
- Auto Sync users and teams to Codefresh - Select to automatically sync user accounts in Azure AD to your Codefresh account. Optionally, define the time interval, in hours, at which to sync, from 1 to 24. If you don’t specify an interval, the sync is every 12 hours.
Those fields can be seen in the overview page of your application registration:
Once you save the Identity provider, Codefresh will assign a client-name
to it which identifies the SSO configuration.
We will need this value in the reply URL setting (back in the Azure portal UI).
Configure reply URLs
As a last step you need to ensure that your Codefresh callback URL is listed in allowed reply URLs for the created application. Navigate to Azure Active Directory -> Apps registrations and select your app. Then click Add a Redirect URI and fill in:
https://g.codefresh.io/api/auth/<your_codefresh_sso_client_name>/callback
where <your_codefresh_sso_client_name>
is the client name shown in the SSO configuration described in the previous section.
Scroll down on the same page and click the ID tokens checkbox:
This concludes the SSO setup for Azure.
What to read next
See the overview page on how to test the integration, activate SSO for collaborators and create sync jobs.