Wallaroo SSO for Microsoft Azure

Enable SSO authentication to Wallaroo from Microsoft Azure

Organizations can use Microsoft Azure as an identity provider for single sign-on (SSO) logins for users with Wallaroo Enterprise.

IMPORTANT NOTE

These instructions are for Wallaroo Enterprise edition only.

To enable Microsoft Azure as an authentication provider to a Wallaroo Enterprise instance:

Create the Azure Credentials

The first step is to create the Azure credentials in Microsoft Azure.

By the end, the following information must be saved for use in the step Add Azure Credentials to Wallaroo:

Create the New App

login to the Microsoft Azure account with an account with permissions to create application registrations.
Select App registrations from the Azure Services menu, or search for App Registrations from the search bar.
From the App registrations screen, select either an existing application, or select + New registration. This example will show creating a new registration.
From the Register an application screen, set the following:
1. Name: The name of the application.
2. Supported account types: To restrict only to accounts in the organization directory, select Accounts in this organizational directory only.
3. Redirect URI: Set the type to Web and the URI. The URI will be based on the Wallaroo instance and the name of the Keycloak Identity Provider set in the step Add Azure Credentials to Wallaroo. This will be a link back to the Keycloak endpoint URL in your Wallaroo instance in the format https://$PREFIX.keycloak.$SUFFIX/auth/realms/master/broker/$IDENTITYNAME/endpoint.
  For example, if the Wallaroo prefix is silky-lions-3657, the name of the Wallaroo Keycloak Identity Provider is azure, and the suffix is wallaroo.ai, then the Keycloak endpoint URL would be silky-lions-3657.keycloak.wallaroo.ai/auth/realms/master/broker/azure/endpoint. For more information see the DNS Integration Guide.
  Once complete, select Register.

Store the Application ID

From the Overview screen, store the following in a secure location:
1. Application (client) ID: This will be used in the Add Azure Credentials to Wallaroo step.
From the Overview screen, select Redirect URIs. Set the following:
1. Verify the Redirect URI matches the Wallaroo instance endpoint.
2. Under Implicit grant and hybrid flows, set the following:
  1. Access tokens: Enabled
  2. ID tokens: Enabled
From the Overview screen, from the left sidebar select API permissions. Select +Add a permission.
1. Select Microsoft Graph, then Delegated Permissions.
2. Set email, openid, profile to Enabled then select Add permissions.

Create Client Secret

From the Overview screen, select Add a certificate or secret.
Select Client secrets, then +New client secret.
1. Set the following, then select Add.
  1. Description: Set the description of the client secret.
  2. Expires: Set the expiration for the client secret. Defaults to 6 months from creation.
2. Store the following in a secure location:
  1. Client secret Value: This will be used in the Add Azure Credentials to Wallaroo step.

Store Metadata Document

From the left navigation panel, select Overview, then Endpoints.
1. Store the following in a secure location:
  1. OpenID Connect metadata document: This will be used in the Add Azure Credentials to Wallaroo step.

Add Azure Credentials to Wallaroo

With the Azure credentials saved from the Create the Azure Credentials step, they can now be added into the Wallaroo Keycloak service.

Login to the Wallaroo Keycloak service with a Wallaroo admin account from the URL in the format https://$PREFIX.keycloak.$SUFFIX.
For example, if the Wallaroo prefix is silky-lions-3657, the name of the Wallaroo Keycloak Identity Provider is azure, and the suffix is wallaroo.ai, then the Keycloak endpoint URL would be silky-lions-3657.keycloak.wallaroo.ai. For more information see the DNS Integration Guide.
Select Administration Console, then from the left navigation panel select Identity Providers.
From the right Add provider… drop down menu select OpenID Connect v1.0.
From the Add identity provider screen, add the following:
1. alias: The name of the the Identity Provider. IMPORTANT NOTE: This will determine the Redirect URI value that is used in the Create the Azure Credentials step. Verify that the Redirect URI in both steps are the same.
2. Display Name: The name that will be shown on the Wallaroo instance login screen.
3. Client Authentication: Set to Client secret sent as post.
4. Client Authentication: Set with the Application (client) ID created in the Create the Azure Credentials step.
5. Client Secret: Set with the Client secret Value created in the Create the Azure Credentials step.
6. Default Scopes: Set to openid email profile - one space between each word.
7. Scroll to the bottom of the page and in Import from URL, add the OpenID Connect metadata document created in the Create the Azure Credentials step. Select Import to set the Identity Provider settings.
Once complete, select Save to store the identity provider settings.

Once the Azure Identity Provider settings are complete, log out of the Keycloak service.

After completing Add Azure Credentials to Wallaroo, the login can be verified through the following steps. This process will need to be completed the first time a user logs into the Wallaroo instance after the Azure Identity Provider settings are added.

Go to the Wallaroo instance login page. The Azure Identity Provider will be displayed under the username and password request based on the Displey Name set in the Add Azure Credentials to Wallaroo step.
Select the Azure Identity Provider to login.
For the first login, grant permission to the application. You may be required to select which Microsoft Azure account is being used to authenticate.

Once complete, the new user will be added to the Wallaroo instance.