---
myst:
html_meta:
"description lang=en": "Microsoft Public OpenID setup guide for Workspaces authentication."
"keywords": "Kasm, Microsoft, Public, OpenID, OIDC"
"property=og:locale": "en_US"
---
```{title} Microsoft (Public) OpenID Setup
```
## Microsoft (Public) OpenID Setup
```{include} /guide/oidc/warning.md
```
This guide walks through a basic setup allowing Microsoft users to authenticate with your Kasm deployment.
Reference Docs:
-
-
### Creating a Microsoft OAuth App
1. Login to the Microsoft Azure Portal:
2. Select **Azure Active Directory**.
```{figure} /images/oidc/microsoft/azure_ad.png
:align: center
**Azure Active Directory**
```
3. Select **App Registrations**.
```{figure} /images/oidc/microsoft/app_registrations.png
:align: center
**App Registration**
```
4. Select New Registration.
5. Give the app a Name (e.g {code}`Kasm`).
6. In the **Supported account types** select **Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)**.
```{warning}
In this example, we walk through creating an integration where any Microsoft user can auth with the Kasm app. This is ideal for a public
facing deployment. Other options are available for single-tenant and multi-tenant configurations.
```
```{figure} /images/oidc/microsoft/register_app.png
:align: center
**Register App**
```
7. On the next page, the **Application (client) ID** is shown, save this value as the Client ID to be used in the next section.
8. Select **Add a certificate or secret** next to **Client credentials**.
```{figure} /images/oidc/microsoft/client_credentials.png
:align: center
**Client Credentials**
```
09. Select the **Client secrets** tab, then slick **New client secret**.
10. Enter a description and expiration then click **Add**.
11. The credentials are shown, save the **Value** as the **Client Secret** to be used in the next section.
```{figure} /images/oidc/microsoft/client_secret.png
:align: center
**Client Secret**
```
12. Select **Token configuration**.
13. Select **Add Optional Claim**
14. Under **Token Type** select **ID**, then check the box for **sid**. Click **Add**.
``` {figure} /images/oidc/microsoft/sid_claim.webp
:align: center
**SID Claim**
```
15. Select **Authentication**
16. In **Front-channel Logout URL**, provide the Kasm `/api/oidc_frontchannel_logout` endpoint as shown. Click **Save**.
```{figure} /images/oidc/microsoft_internal/frontchannel_endpoint.webp
:align: center
**Front-channel Logout URL**
```
### Kasm OpenID Config
1. Log into the Kasm UI as an administrator.
2. Select **Access Management** -> **Authentication** -> **OpenID** -> **Add Config**.
3. Update the form with the following entries, using the **Client ID** and **Client Secret** gathered in the previous section.
```{eval-rst}
+-------------------------------------------+------------------------------------------------------------------------+
| **Property** | **Value** |
+-------------------------------------------+------------------------------------------------------------------------+
| **Enabled** | Checked |
+-------------------------------------------+------------------------------------------------------------------------+
| **Display Name** | Continue with Microsoft |
+-------------------------------------------+------------------------------------------------------------------------+
| **Logo URL** | :code:`https://www.microsoft.com/favicon.ico` |
+-------------------------------------------+------------------------------------------------------------------------+
| **Auto Login** | Unchecked |
+-------------------------------------------+------------------------------------------------------------------------+
| **Hostname** | |
+-------------------------------------------+------------------------------------------------------------------------+
| **Default** | Checked |
+-------------------------------------------+------------------------------------------------------------------------+
| **Client ID** | |
+-------------------------------------------+------------------------------------------------------------------------+
| **Client Secret** | |
+-------------------------------------------+------------------------------------------------------------------------+
| **Authorization URL** | :code:`https://login.microsoftonline.com/common/oauth2/v2.0/authorize` |
+-------------------------------------------+------------------------------------------------------------------------+
| **Token URL** | :code:`https://login.microsoftonline.com/common/oauth2/v2.0/token` |
+-------------------------------------------+------------------------------------------------------------------------+
| **User Info URL** | :code:`https://graph.microsoft.com/oidc/userinfo` |
+-------------------------------------------+------------------------------------------------------------------------+
| **Scope** | :code:`openid` |
| | :code:`email` |
| | :code:`profile` |
+-------------------------------------------+------------------------------------------------------------------------+
| **Username Attribute** | :code:`email` |
+-------------------------------------------+------------------------------------------------------------------------+
| **Groups Attribute** | Unchecked |
+-------------------------------------------+------------------------------------------------------------------------+
| **Debug** | Unchecked |
+-------------------------------------------+------------------------------------------------------------------------+
| **Redirect URL** | :code:`https:///api/oidc_callback` |
+-------------------------------------------+------------------------------------------------------------------------+
| **OpenID Connect Issuer** | :code:`https://login.microsoftonline.com/common/v2.0` |
+-------------------------------------------+------------------------------------------------------------------------+
| **Logout with OIDC Provider** | Checked |
+-------------------------------------------+------------------------------------------------------------------------+
| **Enable OIDC SLO Frontchannel Endpoint** | Checked |
+-------------------------------------------+------------------------------------------------------------------------+
```
```{figure} /images/oidc/microsoft/kasm_oidc_configuration.webp
:align: center
**Kasm OIDC Configurations**
```
6. Click **Save** to save the changes.
### Microsoft Login Test
1. Logout of the Kasm to display the login screen. The OpenID configuration should be shown.
```{figure} /images/oidc/microsoft/login.webp
:align: center
**Login Screen**
```
2. Click **Continue with Microsoft**
3. The user is redirected to Microsoft for auth.
```{figure} /images/oidc/microsoft/authorization.png
:align: center
**Microsoft Auth**
```
4. Upon completion, the user is logged into the Kasm app.