Wallaroo SSO for Microsoft Azure

Enable SSO authentication to Wallaroo from Microsoft Azure

Table of Contents

Organizations can use Microsoft Azure as an identity provider for single sign-on (SSO) logins for users with Wallaroo Enterprise.

To enable Microsoft Azure as an authentication provider to a Wallaroo Enterprise instance:

Create the Azure Credentials

The first step is to create the Azure credentials in Microsoft Azure.

By the end, the following information must be saved for use in the step Add Azure Credentials to Wallaroo:

Create the New App

  1. login to the Microsoft Azure account with an account with permissions to create application registrations.

  2. Select App registrations from the Azure Services menu, or search for App Registrations from the search bar.

    Select App registrations
  3. From the App registrations screen, select either an existing application, or select + New registration. This example will show creating a new registration.

    Create new registration
  4. From the Register an application screen, set the following:

    1. Name: The name of the application.

    2. Supported account types: To restrict only to accounts in the organization directory, select Accounts in this organizational directory only.

    3. Redirect URI: Set the type to Web and the URI. The URI will be based on the Wallaroo instance and the name of the Wallaroo Administrative Service Identity Provider set in the step Add Azure Credentials to Wallaroo. This will be a link back to the Keycloak endpoint URL in your Wallaroo instance in the format https://$PREFIX.keycloak.$SUFFIX/auth/realms/master/broker/$IDENTITYNAME/endpoint.

      For example, if the Wallaroo prefix is silky-lions-3657, the name of the Wallaroo Administrative Service Identity Provider is azure, and the suffix is wallaroo.ai, then the Wallaroo Administrative Service endpoint URL would be silky-lions-3657.keycloak.wallaroo.ai/auth/realms/master/broker/azure/endpoint. For more information see the DNS Integration Guide.

      Once complete, select Register.

      New registration settings

Store the Application ID

  1. From the Overview screen, store the following in a secure location:

    1. Application (client) ID: This will be used in the Add Azure Credentials to Wallaroo step.

      Application (client) id
  2. From the Overview screen, select Redirect URIs. Set the following:

    1. Verify the Redirect URI matches the Wallaroo instance endpoint.
    2. Under Implicit grant and hybrid flows, set the following:
      1. Access tokens: Enabled
      2. ID tokens: Enabled
  3. From the Overview screen, from the left sidebar select API permissions. Select +Add a permission.

    Add permission
    1. Select Microsoft Graph, then Delegated Permissions.

      Add email, openid, profile
    2. Set email, openid, profile to Enabled then select Add permissions.

Create Client Secret

  1. From the Overview screen, select Add a certificate or secret.

    Select add a certificate
  2. Select Client secrets, then +New client secret.

    Select add new client secret
    1. Set the following, then select Add.

      Set client secret details.
      1. Description: Set the description of the client secret.
      2. Expires: Set the expiration for the client secret. Defaults to 6 months from creation.
    2. Store the following in a secure location:

      1. Client secret Value: This will be used in the Add Azure Credentials to Wallaroo step.

Store Metadata Document

  1. From the left navigation panel, select Overview, then Endpoints.

    Select Endpoints.
    1. Store the following in a secure location:
      1. OpenID Connect metadata document: This will be used in the Add Azure Credentials to Wallaroo step.

        Save OpenID Connect metadata document

How to Access the User Authentication Service

Most user administration features are performed by admins through the Platform Admin Dashboard.

Additional settings are available by directly access the Wallaroo Administrative Service known as keycloak. This requires the following:

  1. A user credential with administrative access. If for some reason no user with administrative access is available, the default admin user and credentials are retrieved by a user with kubectl and administrative access to the cluster with the following.

    • Retrieve Keycloak Admin Username

      kubectl -n wallaroo \
      get secret keycloak-admin-secret \
      -o go-template='{{.data.KEYCLOAK_ADMIN_USER | base64decode }}'
      
    • Retrieve Keycloak Admin Password

      kubectl -n wallaroo \
      get secret keycloak-admin-secret \
      -o go-template='{{.data.KEYCLOAK_ADMIN_PASSWORD | base64decode }}'
      
  2. Access the user administrative service through the url https://keycloak.$WALLAROO_SUFFIX. For example, if the $WALLAROO_SUFFIX is wallaroo.example.com, the administrative access controls are access through https://keycloak.wallaroo.example.com.

Add Azure Credentials to Wallaroo

With the Azure credentials saved from the Create the Azure Credentials step, they can now be added into the Wallaroo Administrative service.

  1. Select Administration Console, then from the left navigation panel select Identity Providers.

    Select Keycloak Identity Providers
  2. From the right Add provider… drop down menu select OpenID Connect v1.0.

    Select OpenID Connect
  3. From the Add identity provider screen, add the following:

    Identity Provider Values
    1. alias: The name of the the Identity Provider. IMPORTANT NOTE: This will determine the Redirect URI value that is used in the Create the Azure Credentials step. Verify that the Redirect URI in both steps are the same.
    2. Display Name: The name that will be shown on the Wallaroo instance login screen.
    3. Client Authentication: Set to Client secret sent as post.
    4. Client Authentication: Set with the Application (client) ID created in the Create the Azure Credentials step.
    5. Client Secret: Set with the Client secret Value created in the Create the Azure Credentials step.
    6. Default Scopes: Set to openid email profile - one space between each word.
    7. Scroll to the bottom of the page and in Import from URL, add the OpenID Connect metadata document created in the Create the Azure Credentials step. Select Import to set the Identity Provider settings.
    Import Metadata Document
  4. Once complete, select Save to store the identity provider settings.

Once the Azure Identity Provider settings are complete, log out of the Wallaroo Administrative service.

Verify the Login

After completing Add Azure Credentials to Wallaroo, the login can be verified through the following steps. This process will need to be completed the first time a user logs into the Wallaroo instance after the Azure Identity Provider settings are added.

  1. Go to the Wallaroo instance login page. The Azure Identity Provider will be displayed under the username and password request based on the Displey Name set in the Add Azure Credentials to Wallaroo step.

  2. Select the Azure Identity Provider to login.

    Azure Login
  3. For the first login, grant permission to the application. You may be required to select which Microsoft Azure account is being used to authenticate.

    Azure Grant Permissions

Once complete, the new user will be added to the Wallaroo instance.