---
myst:
html_meta:
"description lang=en": "Microsoft Internal OpenID setup guide for Workspaces authentication."
"keywords": "Kasm, Microsoft, Private, Internal, OpenID, OIDC"
"property=og:locale": "en_US"
---
```{title} Microsoft (Internal) OpenID Setup
```
## Microsoft (Internal) OpenID Setup
This guide walks through a basic setup allowing Microsoft users to authenticate with your Kasm deployment.
Reference Docs:
-
-
-
### Creating a Microsoft OAuth App
01. Login to the Microsoft Azure Portal:
02. Select **Azure Active Directory**.
```{figure} /images/oidc/microsoft/azure_ad.png
:align: center
**Azure Active Directory**
```
03. Select **App Registrations**.
```{figure} /images/oidc/microsoft/app_registrations.png
:align: center
**App Registration**
```
04. Select New Registration.
05. Give the app a Name (e.g {code}`Kasm`)
06. In the **Supported account types** select **Accounts in this organizational directory only...**.
```{figure} /images/oidc/microsoft_internal/register_app.png
:align: center
**Register App**
```
07. On the next page, the **Application (client) ID** is shown, save this value as the Client ID to be used in the next section.
08. Select **Endpoints**. Note the **OAuth 2.0 authorization endpoint (v2)**, **OAuth 2.0 token endpoint (v2)**, and **OpenID Connect metadata document** values to be used in the next section.
09. Select **Add a certificate or secret** next to **Client credentials**.
```{figure} /images/oidc/microsoft/client_credentials.png
:align: center
**Client Credentials**
```
10. Select the **Client secrets** tab, then slick **New client secret**.
11. Enter a description and expiration then click **Add**.
12. The credentials are shown, save the **Value** as the **Client Secret** to be used in the next section.
```{figure} /images/oidc/microsoft/client_secret.png
:align: center
**Client Secret**
```
13. Select **Token configuration**.
14. Select **Add groups claim**.
15. Check **Security groups**, then click **Add**.
```{figure} /images/oidc/microsoft_internal/group_claims.png
:align: center
**Group Claims**
```
16. Select **Add Optional Claim**
17. Under **Token Type** select **ID**, then check the box for **sid**. Click **Add**.
``` {figure} /images/oidc/microsoft_internal/sid_claim.webp
:align: center
**SID Claim**
```
```{figure} /images/oidc/microsoft_internal/all_claims_added.png
:align: center
**Claims Configured**
```
18. Select **Authentication**
19. In **Front-channel Logout URL**, provide the Kasm `/api/oidc_frontchannel_logout` endpoint as shown. Click **Save**.
```{figure} /images/oidc/microsoft_internal/frontchannel_endpoint.webp
:align: center
**Front-channel Logout URL**
```
18. In another browser tab, navigate to the **OpenID Connect metadata document** URL value saved from earlier. Find and save off the value for the `"issuer"` field in the response, to be used in the next section.
### Kasm OpenID Config
1. Log into the Kasm UI as an administrator.
2. Select **Access Management** -> **Authentication** -> **OpenID** -> **Add Config**.
3. Update the form with the following entries, using the **Client ID** and **Client Secret** gathered in the previous section.
```{eval-rst}
+-------------------------------------------+------------------------------------------------------------------------+
| **Property** | **Value** |
+-------------------------------------------+------------------------------------------------------------------------+
| **Enabled** | Checked |
+-------------------------------------------+------------------------------------------------------------------------+
| **Display Name** | Continue with Microsoft |
+-------------------------------------------+------------------------------------------------------------------------+
| **Logo URL** | :code:`https://www.microsoft.com/favicon.ico` |
+-------------------------------------------+------------------------------------------------------------------------+
| **Auto Login** | Unchecked |
+-------------------------------------------+------------------------------------------------------------------------+
| **Hostname** | |
+-------------------------------------------+------------------------------------------------------------------------+
| **Default** | Checked |
+-------------------------------------------+------------------------------------------------------------------------+
| **Client ID** | |
+-------------------------------------------+------------------------------------------------------------------------+
| **Client Secret** | |
+-------------------------------------------+------------------------------------------------------------------------+
| **Authorization URL** | |
+-------------------------------------------+------------------------------------------------------------------------+
| **Token URL** | |
+-------------------------------------------+------------------------------------------------------------------------+
| **User Info URL** | :code:`https://graph.microsoft.com/oidc/userinfo` |
+-------------------------------------------+------------------------------------------------------------------------+
| **Scope** | :code:`openid` |
| | :code:`email` |
| | :code:`profile` |
+-------------------------------------------+------------------------------------------------------------------------+
| **Username Attribute** | :code:`email` |
+-------------------------------------------+------------------------------------------------------------------------+
| **Groups Attribute** | :code:`groups` |
+-------------------------------------------+------------------------------------------------------------------------+
| **Debug** | Unchecked |
+-------------------------------------------+------------------------------------------------------------------------+
| **Redirect URL** | :code:`https:///api/oidc_callback` |
+-------------------------------------------+------------------------------------------------------------------------+
| **OpenID Connect Issuer** | |
+-------------------------------------------+------------------------------------------------------------------------+
| **Logout with OIDC Provider** | Checked |
+-------------------------------------------+------------------------------------------------------------------------+
| **Enable OIDC SLO Frontchannel Endpoint** | Checked |
+-------------------------------------------+------------------------------------------------------------------------+
```
```{figure} /images/oidc/microsoft_internal/kasm_oidc_configuration.webp
:align: center
**Kasm OIDC Configurations**
```
6) Click **Save** to save the changes.
### Microsoft Login Test
1. Logout of the Kasm to display the login screen. The OpenID configuration should be shown.
```{figure} /images/oidc/microsoft/login.webp
:align: center
**Login Screen**
```
2. Click **Continue with Microsoft**
3. The user is redirected to Microsoft for auth.
```{figure} /images/oidc/microsoft/authorization.png
:align: center
**Microsoft Auth**
```
4. Upon completion, the user is logged into the Kasm app.
### Group Mapping
The previous configurations will instruct the identity provider to send a list of **Security Group ID** the user belongs to during
the OpenID auth workflow. We can configure Kasm Groups with the Security Group IDs from Azure AD so that users are automatically added/removed
based on their Azure AD group Membership.
1. Log into the Kasm UI as an administrator.
2. Select **Access Management** -> **Groups** -> **Add Group**.
3. Name the Group **Group Test**, and define a priority.
4. Click **Save** to create the group.
```{figure} /images/oidc/microsoft_internal/groups.webp
:align: center
**Add Group**
```
1. On the groups screen, using the arrow menu select **Edit** on the group that was just created.
2. Navigate to the **SSO Group Mappings** tab and select **Add SSO Mapping**.
3. Select the OpenID IDP that was created above "OpenID - Continue with Microsoft" for the **SSO Provider**.
4. Then enter the Azure AD security group ID desired in the **Group Attributes** field.
```{figure} /images/oidc/microsoft_internal/sso_group_mapping.webp
:align: center
**Add SSO Group Mapping**
```
1. Click **Submit**
2. Logout, then login via the Microsoft Open ID login with a user that is a member of the specified group.
3. View the users group membership to ensure they are added to the newly created group.