Skip to main content

Microsoft

  1. Create vCluster Platform Config For Microsoft

    vCluster Platform is able to use Microsoft OAuth2 flow to identify the end user through their Microsoft account.

    Tenant Must Be Specified in Microsoft Connector Config to Sync SSO Groups

    groups claim is only supported when tenant is specified in Microsoft connector config. Furthermore, tenant must also be configured to either <tenant uuid> or <tenant name>. In order for vCluster Platform to be able to list groups on behalf of logged in user, an explicit organization administrator consent is required. To obtain the consent do the following:

    • when registering the vCluster Platform application on https://apps.dev.microsoft.com add an explicit Directory.Read.All permission to the list of Delegated Permissions
    • open the following link in your browser and log in under organization administrator account:

    https://login.microsoftonline.com/<tenant>/adminconsent?client_id=<client id>

    To tell vCluster Platform to use Microsoft for SSO, navigate to Admin > Config in vCluster Platform and adjust your config as shown below:

    auth:
      # Tell vCluster Platform to use microsoft authentication
      microsoft:
        #
        #
        # REQUIRED CONFIGURATION
        #
        #
        # ClientID of the microsoft application. Can be string literal or pulled from the environment.
        clientId: $CLIENTID
        # ClientSecret of the microsoft application. Can be string literal or pulled from the environment.
        clientSecret: $CLIENTSECRET
        # Callback URL in the form of https://your-loft-domain/auth/microsoft/callback
        redirectURI: https://vcluster-platform.my.domain/auth/microsoft/callback
        #
        #
        # OPTIONAL CONFIGURATION
        #
        #
        # (Optional) tenant configuration parameter controls what kinds of accounts
        # may be authenticated in loft. By default, all types of Microsoft
        # accounts (consumers and organizations) can authenticate in loft via Microsoft.
        # To change this, set the tenant parameter to one of the following:
        # common - both personal and business accounts can authenticate via Microsoft (default)
        # consumers - only personal accounts can authenticate in loft
        # organizations - only business/school accounts can authenticate in loft
        # 'tenant uuid' or 'tenant name' - only accounts belonging to specific tenant
        # identified by either 'tenant uuid' or 'tenant name' can authenticate in loft
        tenant: common
        # (Optional) It is possible to require a user to be a member of a particular
        # group in order to be successfully authenticated in loft.
        groups: []
        # (Optional) Configuration option restricts the list to include only security groups.
        # By default all groups (security, Office 365, mailing lists) are included.
        onlySecurityGroups: false
        # (Optional) Restrict the groups claims to include only the user’s groups
        # that are in the configured groups
        useGroupsAsWhitelist: false

  2. Authenticate via Microsoft

    After saving the new vCluster Platform configuration, vCluster Platform will restart itself and you should be able to log in via Microsoft.

  3. Disable Username + Password Authentication (optional)

    To disable password-based authentication, navigate to Admin > Config add these two lines to your config:

    auth:
      oidc: ...             # This is your SSO configuration (make sure this is working!)
      password:
        disabled: true      # Disable password-based authentication