Implementing Azure OIDC for Secure Authentication

Implementing Azure OIDC for Secure Authentication involves registering an application in the Azure portal to obtain a client ID and client secret. This is a crucial step in the process.

To start, you need to navigate to the Azure portal and sign in with your Azure account credentials. Make sure you have the necessary permissions to create and manage applications.

Once you've registered your application, you'll receive a client ID, which is a unique identifier for your application. This ID will be used in subsequent steps to authenticate users.

With your client ID in hand, you can now configure the OpenID Connect (OIDC) settings for your application. This involves specifying the authorization URL and token endpoint, which are used to authenticate users.

To set up Azure OIDC, you'll need to follow these steps. Azure Active Directory (Microsoft Entra ID) v1 and v2 have slightly different integration instructions, so make sure to note any differences as you go along.

In Azure Active Directory (Microsoft Entra ID), you'll need to register a new app and generate a relying party OAuth client secret. This is a crucial step in the OIDC setup process.

Here's a quick rundown of the steps to set up a relying party in Microsoft Entra ID:

To set up the OIDC identity provider in Single Sign‑On, you'll need to follow these steps. Select at least openid and profile when selecting supported scopes, and consider using scope profile to include preferred_username in the ID token.

Before you start setting up an Azure OIDC relying party, there are a few prerequisites you need to meet.

First, you must meet the prerequisites listed in the Microsoft Entra ID OIDC Integration Guide Overview. This will give you a solid foundation for the setup process.

To get started, you'll need to create a Service Plan in Single Sign-On. This is required to have the values for AUTH-DOMAIN and ORIGIN-KEY that are used to construct the Redirect URI necessary for the Azure Relying Party configuration.

You'll also need to familiarize yourself with the OAuth 2.0 and OpenID Connect protocols on the Microsoft identity platform.

For a smooth registration process, make sure to follow the Quickstart: Register an application with the Microsoft identity platform.

Domain Restrictions can be a bit tricky with Azure OIDC Setup. Azure AD doesn't provide identity tokens with the hd claim, so the OIDC plugin's domains configuration can't restrict users based on their domain.

This means you can't use Domain Restrictions to limit access to specific domains. However, using a single-tenant application will restrict access to users in your directory only.

If you have a multi-tenant app, users with Microsoft accounts from other directories and optionally any Microsoft account (e.g., live.com or Xbox accounts) can sign in. This is because multi-tenant apps allow users from other directories to access your app.

Here are some options to consider for restricting access further:

To set up additional claims, you'll need to enable optional claims in Microsoft Entra ID. This allows you to include more information in the ID token.

To do this, you'll need to set the Scope to include the additional claims. For example, you might set it to openid email profile. This will allow you to include the email address in the ID token.

You'll also need to set the Registration claims mapping and Login claims mapping additional site settings. This will determine how the additional claims are mapped to the user's profile. For example, you might set it to firstname=given_name,lastname=family_name.

Claims mapping is supported for text and boolean data types. This means you can include a wide range of information, from simple text fields to more complex boolean values.

Here's an example of how you might set up the Registration claims mapping and Login claims mapping additional site settings:

This will allow you to include the user's first name and last name in their profile, based on the information provided in the ID token.

Microsoft Configuration is a crucial step in setting up Azure OIDC. You'll need to register an app in your Azure AD configuration and add a client secret credential that Kong will use to access it.

To configure Azure AD, locate the Application ID string in the App registrations > Application name > Settings Page. This is used to set the Client ID in NeuVector.

The Issuer URL takes the format https://login.microsoftonline.com/{tenantID}/v2.0, where {tenantID} is the Directory ID found in Azure Active Directory > Properties Page.

To add group membership to the claim, modify the value of "groupMembershipClaims" to "Application Group" in the application manifest.

Here are the required permissions to be set from Microsoft Graph:

If you're using a large number of groups, using the value "Application Group" instead of "All" will reduce the number of applicable groups returned in the token.

To register a new app in Azure, you need to log in to your Azure account and navigate to Microsoft Entra ID > App registrations. From there, select + New registration to create a new application registration.

You'll need to enter a name of your choice in the Name field and select an option for Supported account types. Be sure to record this choice because your OIDC Discovery Metadata URL depends on it.

To create an app registration in Azure, you'll need to sign in to the Azure portal and search for and select Azure Active Directory. Under Manage, select App registrations and then select New registration.

You'll need to enter a name, select one of the Supported account types, and under Redirect URI, select Web as the platform and enter the reply URL of your site.

Here are the steps to create an app registration in Azure:

Once you've created the app registration, you'll need to copy the Application (client) ID and the Client secret, which can be located in Azure's Keys setting. The Client secret is used to authenticate the app and should be kept secure.

To generate a Relying Party OAuth Client Secret, navigate to the app's configuration page and select Certificates & secrets. Then, select + New client secret and provide a description and an expiration length that follows your security organization's guidelines.

Here are the permissions that need to be set from Microsoft Graph: