Microsoft
Create vCluster Platform Config For Microsoft
vCluster Platform is able to use Microsoft OAuth2 flow to identify the end user through their Microsoft account.
Tenant Must Be Specified in Microsoft Connector Config to Sync SSO Groupsgroups claim is only supported when tenant is specified in Microsoft connector config. Furthermore, tenant must also be configured to either
<tenant uuid> or <tenant name>
. In order for vCluster Platform to be able to list groups on behalf of logged in user, an explicit organization administrator consent is required. To obtain the consent do the following:- when registering the vCluster Platform application on https://apps.dev.microsoft.com add an explicit Directory.Read.All permission to the list of Delegated Permissions
- open the following link in your browser and log in under organization administrator account:
https://login.microsoftonline.com/<tenant>/adminconsent?client_id=<client id>
To tell vCluster Platform to use Microsoft for SSO, navigate to
Admin > Config
in vCluster Platform and adjust your config as shown below:auth:
# Tell vCluster Platform to use microsoft authentication
microsoft:
#
#
# REQUIRED CONFIGURATION
#
#
# ClientID of the microsoft application. Can be string literal or pulled from the environment.
clientId: $CLIENTID
# ClientSecret of the microsoft application. Can be string literal or pulled from the environment.
clientSecret: $CLIENTSECRET
# Callback URL in the form of https://your-loft-domain/auth/microsoft/callback
redirectURI: https://vcluster-platform.my.domain/auth/microsoft/callback
#
#
# OPTIONAL CONFIGURATION
#
#
# (Optional) tenant configuration parameter controls what kinds of accounts
# may be authenticated in loft. By default, all types of Microsoft
# accounts (consumers and organizations) can authenticate in loft via Microsoft.
# To change this, set the tenant parameter to one of the following:
# common - both personal and business accounts can authenticate via Microsoft (default)
# consumers - only personal accounts can authenticate in loft
# organizations - only business/school accounts can authenticate in loft
# 'tenant uuid' or 'tenant name' - only accounts belonging to specific tenant
# identified by either 'tenant uuid' or 'tenant name' can authenticate in loft
tenant: common
# (Optional) It is possible to require a user to be a member of a particular
# group in order to be successfully authenticated in loft.
groups: []
# (Optional) Configuration option restricts the list to include only security groups.
# By default all groups (security, Office 365, mailing lists) are included.
onlySecurityGroups: false
# (Optional) Restrict the groups claims to include only the user’s groups
# that are in the configured groups
useGroupsAsWhitelist: falseAuthenticate via Microsoft
After saving the new vCluster Platform configuration, vCluster Platform will restart itself and you should be able to log in via Microsoft.
Disable Username + Password Authentication (optional)
To disable password-based authentication, navigate to
Admin > Config
add these two lines to your config:auth:
oidc: ... # This is your SSO configuration (make sure this is working!)
password:
disabled: true # Disable password-based authentication