Microsoft (Internal) OpenID Setup

This guide walks through a basic setup allowing Microsoft users to authenticate with your Kasm deployment.

Reference Docs:

Creating a Microsoft OAuth App

  1. Login to the Microsoft Azure Portal: https://portal.azure.com/

  2. Select Azure Active Directory.

    ../../_images/azure_ad.png

    Azure Active Directory

  3. Select App Registrations.

    ../../_images/app_registrations.png

    App Registration

  4. Select New Registration.

  5. Give the app a Name (e.g Kasm)

  6. In the Supported account types select Accounts in this organizational directory only….

    ../../_images/register_app1.png

    Register App

  7. On the next page, the Application (client) ID is shown, save this value as the Client ID to be used in the next section.

  8. Select Endpoints. Note the OAuth 2.0 authorization endpoint (v2) and OAuth 2.0 token endpoint (v2) values to be used in the next section.

  9. Select Add a certificate or secret next to Client credentials.

    ../../_images/client_credentials.png

    Client Credentials

  10. Select the Client secrets tab, then slick New client secret.

  11. Enter a description and expiration then click Add.

  12. The credentials are shown, save the Value as the Client Secret to be used in the next section.

    ../../_images/client_secret2.png

    Client Secret

  13. Select Token configuration.

  14. Select Add group claims.

  15. Check Security groups, then click Save.

    ../../_images/group_claims.png

    Group Claims

Kasm OpenID Config

  1. Log into the Kasm UI as an administrator.

  2. Select Authentication -> OpenID -> Create New Configuration.

  3. Update the form with the following entries, using the Client ID and Client Secret gathered in the previous section.

    Property

    Value

    Display Name

    Continue with Microsoft

    Logo URL

    https://www.microsoft.com/favicon.ico

    Enabled

    Checked

    Auto Login

    Unchecked

    Hostname

    <Empty>

    Default

    Checked

    Client ID

    <Client ID From Microsoft OAuth App>

    Client Secret

    <Client Secret from Microsoft OAuth App>

    Authorization URL

    <OAuth 2.0 authorization endpoint (v2) value from Microsoft OAuth App>

    Token URL

    <OAuth 2.0 token endpoint (v2) value fom Microsoft OAuth App>

    User Info URL

    https://graph.microsoft.com/oidc/userinfo

    Scope

    openid email profile

    Username Attribute

    email

    Groups Attribute

    groups

    Debug

    Unchecked

    ../../_images/kasm_oidc_configuration4.png

    Kasm OIDC Configurations

  1. Click Submit to save the changes.

Microsoft Login Test

  1. Logout of the Kasm to display the login screen. The OpenID configuration should be shown.

    ../../_images/login4.png

    Login Screen

  2. Click Continue with Microsoft

  3. The user is redirected to Microsoft for auth.

    ../../_images/authorization3.png

    Microsoft Auth

  4. Upon completion, the user is logged into the Kasm app.

Group Mapping

The previous configurations will instruct the identity provider to send a list of Security Group ID the user belongs to during the OpenID auth workflow. We can configure Kasm Groups with the Security Group IDs from Azure AD so that users are automatically added/removed based on their Azure AD group Membership.

  1. Log into the Kasm UI as an administrator.

  2. Select Groups -> Add Group.

  3. Name the Group Group Test, and define a priority.

  4. Click Submit to create the group.

../../_images/groups1.png

Add Group

  1. On the groups screen, using the three dot menu select View on the group that was just created.

  2. Scroll to the bottom of the screen and select Add SSO Mapping.

  3. Select the OpenID IDP that was created above “OpenID - Continue with Microsoft” for the SSO Provider.

  4. Then enter the Azure AD security group ID desired in the Group Attributes field.

../../_images/sso_group_mapping1.png

Add SSO Group Mapping

  1. Click Add

  2. Logout, then login via the Microsoft Open ID login with a user that is a member of the specified group.

  3. View the users group membership to ensure they are added to the newly created group.