Skip to main content

Microsoft

  1. Create platform config for Microsoft

    The platform is able to use Microsoft Single Sign-On (SSO) OAuth2 flow to identify the end user through their Microsoft account.

    Tenant Must Be Specified in Microsoft Connector Config to Sync SSO Groups

    groups claim is only supported when tenant is specified in Microsoft connector config. Furthermore, tenant must also be configured to either <tenant uuid> or <tenant name>. In order for the platform to be able to list groups on behalf of logged in user, an explicit organization administrator consent is required. To obtain the consent do the following:

    The platform can use Microsoft OAuth2 flow to identify end users through their Microsoft accounts.

    The groups claim is only supported when the tenant is specified in the Microsoft connector config. The tenant must be configured to either <tenant uuid> or <tenant name>. For the platform to list groups on behalf of the logged-in user, explicit organization administrator consent is required. To obtain consent:

    • When registering the platform application on https://apps.dev.microsoft.com, add an explicit Directory.Read.All permission to the list of Delegated Permissions.
    • Open the following link in your browser and log in under an organization administrator account:

    https://login.microsoftonline.com/<tenant>/adminconsent?client_id=<client id>

    To configure the platform to use Microsoft for SSO, navigate to Admin > Config in the platform and adjust your config as shown below:

    Microsoft SSO configuration
    auth:
      # Tell the platform to use microsoft authentication
      microsoft:
        #
        #
        # REQUIRED CONFIGURATION
        #
        #
        # ClientID of the microsoft application. Can be string literal or pulled from the environment.
        clientId: $CLIENTID
        # ClientSecret of the microsoft application. Can be string literal or pulled from the environment.
        clientSecret: $CLIENTSECRET
        # Callback URL in the form of https://your-loft-domain/auth/microsoft/callback
        redirectURI: https://vcluster-platform.my.domain/auth/microsoft/callback
        #
        #
        # OPTIONAL CONFIGURATION
        #
        #
        # (Optional) tenant configuration parameter controls what kinds of accounts
        # may be authenticated in loft. By default, all types of Microsoft
        # accounts (consumers and organizations) can authenticate in loft via Microsoft.
        # To change this, set the tenant parameter to one of the following:
        # common - both personal and business accounts can authenticate via Microsoft (default)
        # consumers - only personal accounts can authenticate in loft
        # organizations - only business/school accounts can authenticate in loft
        # 'tenant uuid' or 'tenant name' - only accounts belonging to specific tenant
        # identified by either 'tenant uuid' or 'tenant name' can authenticate in loft
        tenant: common
        # (Optional) It is possible to require a user to be a member of a particular
        # group in order to be successfully authenticated in loft.
        groups: []
        # (Optional) Configuration option restricts the list to include only security groups.
        # By default all groups (security, Office 365, mailing lists) are included.
        onlySecurityGroups: false
        # (Optional) Restrict the groups claims to include only the user’s groups
        # that are in the configured groups
        useGroupsAsWhitelist: false
    Optional configuration parameters
    • tenant: Controls what kinds of accounts may be authenticated. Options include:
      • common: Both personal and business accounts (default)
      • consumers: Only personal accounts
      • organizations: Only business/school accounts
      • 'tenant uuid' or 'tenant name': Only accounts belonging to a specific tenant
    • groups: Require users to be members of specific groups for authentication
    • onlySecurityGroups: Restricts the list to include only security groups
    • useGroupsAsWhitelist: Restricts the groups claims to include only the user's groups that are in the configured groups
    Obtaining ClientID and ClientSecret

    To obtain the $CLIENTID and $CLIENTSECRET values:

    • Register your application in the Azure Portal
    • Navigate to "App registrations"
    • Select your application and find the "Application (client) ID" for $CLIENTID
    • Under "Certificates & secrets", create a new client secret for $CLIENTSECRET

  2. Authenticate via Microsoft

    After saving the new platform configuration, the platform should restart. Users should then be able to log in via Microsoft.

  3. Disable Username + Password Authentication (optional)

    To turn off password-based authentication, navigate to Admin > Config add these two lines to your config:

    Disable password-based authentication
    auth:
      oidc: ...             # This is your SSO configuration (make sure this is working!)
      password:
        disabled: true      # Disable password-based authentication