--- myst: html_meta: "description lang=en": "Microsoft Public OpenID setup guide for Workspaces authentication." "keywords": "Kasm, Microsoft, Public, OpenID, OIDC" "property=og:locale": "en_US" --- ```{title} Microsoft (Public) OpenID Setup ``` ## Microsoft (Public) OpenID Setup ```{include} /guide/oidc/warning.md ``` This guide walks through a basic setup allowing Microsoft users to authenticate with your Kasm deployment. Reference Docs: - - ### Creating a Microsoft OAuth App 1. Login to the Microsoft Azure Portal: 2. Select **Azure Active Directory**. ```{figure} /images/oidc/microsoft/azure_ad.png :align: center **Azure Active Directory** ``` 3. Select **App Registrations**. ```{figure} /images/oidc/microsoft/app_registrations.png :align: center **App Registration** ``` 4. Select New Registration. 5. Give the app a Name (e.g {code}`Kasm`). 6. In the **Supported account types** select **Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)**. ```{warning} In this example, we walk through creating an integration where any Microsoft user can auth with the Kasm app. This is ideal for a public facing deployment. Other options are available for single-tenant and multi-tenant configurations. ``` ```{figure} /images/oidc/microsoft/register_app.png :align: center **Register App** ``` 7. On the next page, the **Application (client) ID** is shown, save this value as the Client ID to be used in the next section. 8. Select **Add a certificate or secret** next to **Client credentials**. ```{figure} /images/oidc/microsoft/client_credentials.png :align: center **Client Credentials** ``` 09. Select the **Client secrets** tab, then slick **New client secret**. 10. Enter a description and expiration then click **Add**. 11. The credentials are shown, save the **Value** as the **Client Secret** to be used in the next section. ```{figure} /images/oidc/microsoft/client_secret.png :align: center **Client Secret** ``` ### Kasm OpenID Config 1. Log into the Kasm UI as an administrator. 2. Select **Access Management** -> **Authentication** -> **OpenID** -> **Add Config**. 3. Update the form with the following entries, using the **Client ID** and **Client Secret** gathered in the previous section. ```{eval-rst} +------------------------+--------------------------------------------------------------------------------+ | **Property** | **Value** | +------------------------+--------------------------------------------------------------------------------+ | **Display Name** | Continue with Microsoft | +------------------------+--------------------------------------------------------------------------------+ | **Logo URL** | :code:`https://www.microsoft.com/favicon.ico` | +------------------------+--------------------------------------------------------------------------------+ | **Enabled** | Checked | +------------------------+--------------------------------------------------------------------------------+ | **Auto Login** | Unchecked | +------------------------+--------------------------------------------------------------------------------+ | **Hostname** | | +------------------------+--------------------------------------------------------------------------------+ | **Default** | Checked | +------------------------+--------------------------------------------------------------------------------+ | **Client ID** | | +------------------------+--------------------------------------------------------------------------------+ | **Client Secret** | | +------------------------+--------------------------------------------------------------------------------+ | **Authorization URL** | :code:`https://login.microsoftonline.com/common/oauth2/v2.0/authorize` | +------------------------+--------------------------------------------------------------------------------+ | **Token URL** | :code:`https://login.microsoftonline.com/common/oauth2/v2.0/token` | +------------------------+--------------------------------------------------------------------------------+ | **User Info URL** | :code:`https://graph.microsoft.com/oidc/userinfo` | +------------------------+--------------------------------------------------------------------------------+ | **Scope** | :code:`openid` | | | :code:`email` | | | :code:`profile` | +------------------------+--------------------------------------------------------------------------------+ | **Username Attribute** | :code:`email` | +------------------------+--------------------------------------------------------------------------------+ | **Groups Attribute** | Unchecked | +------------------------+--------------------------------------------------------------------------------+ | **Debug** | Unchecked | +------------------------+--------------------------------------------------------------------------------+ ``` ```{figure} /images/oidc/microsoft/kasm_oidc_configuration.webp :align: center **Kasm OIDC Configurations** ``` 6. Click **Save** to save the changes. ### Microsoft Login Test 1. Logout of the Kasm to display the login screen. The OpenID configuration should be shown. ```{figure} /images/oidc/microsoft/login.webp :align: center **Login Screen** ``` 2. Click **Continue with Microsoft** 3. The user is redirected to Microsoft for auth. ```{figure} /images/oidc/microsoft/authorization.png :align: center **Microsoft Auth** ``` 4. Upon completion, the user is logged into the Kasm app.