Microsoft (Public) OpenID Setup

Warning

Be mindful when configuring OpenID providers that are public. Any user that can successfully authenticate with the provider will have access to your deployment of Kasm Workspaces. While access to Kasm Workspace apps and desktops can be resitricted with Kasm group permissions, any user of the public authentication provider would still be able to login to your deployment of Kasm. It is recommended to use a private OpenID provider unless your intention is to allow authentictioned access to all users of the OpenID platform provider.

This guide walks through a basic setup allowing Microsoft users to authenticate with your Kasm deployment.

Reference Docs:

Creating a Microsoft OAuth App

  1. Login to the Microsoft Azure Portal: https://portal.azure.com/

  2. Select Azure Active Directory.

../../_images/azure_ad.png

Azure Active Directory

  1. Select App Registrations.

../../_images/app_registrations.png

App Registration

  1. Select New Registration.

  2. Give the app a Name (e.g Kasm).

  3. In the Supported account types select Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox).

Warning

In this example, we walk through creating an integration where any Microsoft user can auth with the Kasm app. This is ideal for a public facing deployment. Other options are available for single-tenant and multi-tenant configurations.

../../_images/register_app.png

Register App

  1. On the next page, the Application (client) ID is shown, save this value as the Client ID to be used in the next section.

  2. Select Add a certificate or secret next to Client credentials.

../../_images/client_credentials.png

Client Credentials

  1. Select the Client secrets tab, then slick New client secret.

  2. Enter a description and expiration then click Add.

  3. The credentials are shown, save the Value as the Client Secret to be used in the next section.

../../_images/client_secret2.png

Client Secret

  1. Select Token configuration.

  2. Select Add Optional Claim

  3. Under Token Type select ID, then check the box for sid. Click Add.

../../_images/sid_claim.webp

SID Claim

  1. Select Authentication

  2. In Front-channel Logout URL, provide the Kasm /api/oidc_frontchannel_logout endpoint as shown. Click Save.

../../_images/frontchannel_endpoint.webp

Front-channel Logout URL

Kasm OpenID Config

  1. Log into the Kasm UI as an administrator.

  2. Select Access Management -> Authentication -> OpenID -> Add Config.

  3. Update the form with the following entries, using the Client ID and Client Secret gathered in the previous section.

Property

Value

Enabled

Checked

Display Name

Continue with Microsoft

Logo URL

https://www.microsoft.com/favicon.ico

Auto Login

Unchecked

Hostname

<Empty>

Default

Checked

Client ID

<Client ID From Microsoft OAuth App>

Client Secret

<Client Secret from Microsoft OAuth App>

Authorization URL

https://login.microsoftonline.com/common/oauth2/v2.0/authorize

Token URL

https://login.microsoftonline.com/common/oauth2/v2.0/token

User Info URL

https://graph.microsoft.com/oidc/userinfo

Scope

openid email profile

Username Attribute

email

Groups Attribute

Unchecked

Debug

Unchecked

Redirect URL

https://<Kasm hostname>/api/oidc_callback

OpenID Connect Issuer

https://login.microsoftonline.com/common/v2.0

Logout with OIDC Provider

Checked

Enable OIDC SLO Frontchannel Endpoint

Checked
../../_images/kasm_oidc_configuration4.webp

Kasm OIDC Configurations

  1. Click Save to save the changes.

Microsoft Login Test

  1. Logout of the Kasm to display the login screen. The OpenID configuration should be shown.

../../_images/login4.webp

Login Screen

  1. Click Continue with Microsoft

  2. The user is redirected to Microsoft for auth.

../../_images/authorization4.png

Microsoft Auth

  1. Upon completion, the user is logged into the Kasm app.