Improve this page on GitHub

Azure (OIDC)

Setting Up Azure Single Sign-On (SSO)

In this page we will see the process of setting up Azure SSO with Codefresh. For the general instructions of SSO setup see the overview page.

Prerequisites

Make sure that your user in Azure has the Application Administrator or Global Administrator roles. If the user that creates the Azure application does not belong to either of these roles, you will not be able to sync teams from Azure to Codefresh after the SSO integration is complete.

We strongly suggest that the Azure user who creates the integration is part of Application Administrator or Global Administrator roles.

Creating an Application Registration

To setup Azure Active Directory for SSO, you should first create a new application in Azure AD. Login to Azure Portal and choose Azure Active Directory from the sidebar.

Azure Active Directory

Azure Active Directory

Then under the new sidebar, select App registrations.

Azure App Registrations

Azure App Registrations

Then click on the + New registration to add a new application.

Enter a name for the application (e.g. Codefresh), and leave all other options to default selection.

Azure App Registration creation

Azure App Registration creation

Click the Register button to apply your changes. The application registration is now created.

Configure the Permissions

Once the application has been created, you will have to configure the permissions. Click on the name of the application to open the Settings section.

Click API permissions.

Azure App API Permissions

Azure App API Permissions

Then click on the Add a permission button to change the access levels.

Azure App Change Permissions

Azure App Change Permissions

Find the Azure Active Directory Graph entry and click on it.

Azure Active Directory Graph entry

Azure Active Directory Graph entry

Click Application permissions (Delegated permissions are not enough in this case). From the list of permissions choose:

  • Directory.Read.All
  • Group.Read.All
  • User.Read.All

Note: User.Read for the type of delegated is required. This permission is usually added by default.

Finally click the Apply Permissions button.

API Permissions

API Permissions

Afterwards please click on the Grant admin consent button from the bar above.

Create Client Secret

Next select Certificates & secrets from the left sidebar:

Change keys

Change keys

Click on New Client secret and add a description (arbitrary name).

Add a client secret

Add a client secret

Choose the desired duration.

Note:. If you choose an expiring key, make sure to record the expiration date in your calendar, as you will need to renew the key (get a new one) before that day in order to ensure users don’t experience a service interruption.

Click on Add and the key will be displayed. Make sure to copy the value of this key before leaving this screen, otherwise you may need to create a new key. This value will need to be provided to Codefresh securely.

Enter details on the Codefresh side

Go back to the SSO settings screen described in the first part of this guide inside the Codefresh GUI.

You need to enter the following:

  • Display Name - Shown as display name in Azure (see below)
  • client id - shown as Application (client) ID in Azure (see below)
  • client secret - the key value as created in the previous section
  • tenant - mycompany.onmicrosoft.com or the ID of 0example1-0000-0aa0-a00a-1example0
  • Object ID - your Azure Service Principal Object ID (from Enterprise Application configuration, see below)
  • Auto Sync users and teams to Codefresh - Select to automatically sync user accounts in Azure AD to your Codefresh account. Optionally, define the time interval, in hours, at which to sync, from 1 to 24. If you don’t specify an interval, the sync is every 12 hours.

Those fields can be seen in the overview page of your application registration:

Overview

Overview

Once you save the Identity provider, Codefresh will assign a client-name to it which identifies the SSO configuration.

SSO Client Name

SSO Client Name

We will need this value in the reply URL setting (back in the Azure portal UI).

Configure reply URLs

As a last step you need to ensure that your Codefresh callback URL is listed in allowed reply URLs for the created application. Navigate to Azure Active Directory -> Apps registrations and select your app. Then click Add a Redirect URI and fill in:

https://g.codefresh.io/api/auth/<your_codefresh_sso_client_name>/callback

where <your_codefresh_sso_client_name> is the client name shown in the SSO configuration described in the previous section.

Reply URLs

Reply URLs

Scroll down on the same page and click the ID tokens checkbox:

Reply URLs

Reply URLs

This concludes the SSO setup for Azure.

See the overview page on how to test the integration, activate SSO for collaborators and create sync jobs.