Skip to main content

Single Sign On (SSO)

Mission Control uses kratos for identity management. Login via email/password is the default flow but any OIDC provider supported by Kratos can be used.

See Providers more details on supported providers.

Microsoft Entra (Azure AD)

  1. Create a new Azure Entra App Registration

    • Add a new app from Azure AD App Registration
    • Record the Client ID (Application ID) in the Overview page
    • Add an allowed redirect URI of https://<ingress>/api/.ory/self-service/methods/oidc/callback/microsoft where <ingress> is the global.ui.host value specified during setup
    • Token Configuration
      • Add the email optional claim
      • Add a groups claim if you want to map Azure AD Group Membership to roles in Mission Control
    • Certificates & Secrets
      • Create a new client secret

  2. Get the Tenant ID (Directory ID) from Directories

  3. Create a JSONNET claims mapper. Jsonnet is used to map the claims provided by Azure AD, to the Kratos Identity Schema

    local claims = std.extVar('claims');
    {
      identity: {
        traits: {
          name: {
            [if 'given_name' in claims then 'first' else null]: claims.given_name,
            [if 'family_name' in claims then 'last' else null]: claims.family_name,
          },

          [if 'raw_claims' in claims &&
            'groups' in claims.raw_claims then 'groups' else null]: claims.raw_claims.groups,

          [if 'preferred_username' in claims then 'email' else null]: claims.preferred_username,
          [if 'email' in claims then 'email' else null]: claims.email,
        },
      },
    }

    See MS Entra ID Tokens

  4. Update the helm values. Create the mapper_url by Base64 encoding the jsonnet file and prefixing it with base64://

    values.yaml
    kratos:
        selfservice:
            methods:
                oidc:
                    enabled: true
                    config:
                        providers:
                            - id: microsoft
                              provider: microsoft
                              microsoft_tenant: # The Azure AD Tenant Id
                              client_id: #...
                              client_secret: #...
                              mapper_url: base64:// #base64 encoded jsonnet schema
                              scope:
                                - email
                                - openid
                                - profile

  5. Optionally, create a cel expression to map identities from the OIDC provider to a mission control role & team. The following script maps all Azure users in the SRE group to the admin role and everyone else to the viewer role.

    apiVersion: v1
    kind: ConfigMap                 
    metadata:                       
      name: azure-identity-mapper
    data:
      script: >
        {  
          "role": "sre" in identity.traits.groups ?  "admin":  "viewer"
        }

    See Identity Mapper Schema & RBAC

  6. Supply the identity mapper script to mission control.

    values.yaml
    identityRoleMapper:
      configMap:
        name: "azure-identity-mapper"
        key: "script"