Skip to main content

Single Sign On (SSO)

Mission Control uses kratos for identity management. Login via email/password is the default flow but any OIDC provider supported by Kratos can be used

See Providers more details on supported providers.

Microsoft Entra (Azure AD)

Create a new Azure Entra App Registration
  • Add a new app from Azure AD App Registration
  • Record the Client ID (Application ID) in the Overview page
  • Add an allowed redirect URI of https://<ingress>/api/.ory/self-service/methods/oidc/callback/microsoft where <ingress> is the global.ui.host value specified during setup
  • Token Configuration
    • Add the email optional claim
    • Add a groups claim if you want to map Azure AD Group Membership to roles in Mission Control
  • Certificates & Secrets
    • Create a new client secret
Get The Tenant ID

Get the Tenant ID (Directory ID) from Directories

Create a JSONNET claims mapper

Jsonnet is used to map the claims provided by Azure AD, to the Kratos Identity Schema

local claims = std.extVar('claims');
{
identity: {
traits: {
name: {
[if 'given_name' in claims then 'first' else null]: claims.given_name,
[if 'family_name' in claims then 'last' else null]: claims.family_name,
},

[if 'raw_claims' in claims &&
'groups' in claims.raw_claims then 'groups' else null]: claims.raw_claims.groups,

[if 'preferred_username' in claims then 'email' else null]: claims.preferred_username,
[if 'email' in claims then 'email' else null]: claims.email,
},
},
}

See MS Entra ID Tokens

Update the helm values

Create the mapper_url by Base64 encoding the jsonnet file and prefixing it with base64://

values.yaml
kratos:
selfservice:
methods:
oidc:
enabled: true
config:
providers:
- id: microsoft
provider: microsoft
microsoft_tenant: # The Azure AD Tenant Id
client_id: #...
client_secret: #...
mapper_url: base64:// #base64 encoded mapper_url
scope:
- email
- openid
- profile