Skip to main content

Use Active Directory as Single Sign-On provider

Chainloop authentication backend is delegated to an OpenID Connect (OIDC) compatible Identity Provider (IdP) such as Google, GitHub, Auth0 or Azure Active Directory.

This guide will show you how to configure your Chainloop instance to run authentication over Azure Active Directory.

The process comprises two steps:

  1. Register a new App in your Azure Active Directory tenant
  2. Configure Chainloop deployment with the new OIDC settings

Register a new App

In your Azure console go to App registrations and click on New registration.

Fill out a descriptive name and your custom callback URL that should point to your instance of Chainloop control plane.

Once done, take note of the generated Application (client) ID and the tenant ID.

Next Create a new client secret and copy the generated value by clicking on "Certificate & secrets" > "New client secret"

Once done, copy the "value" which will be used as the clientSecret in the next step.

Configure Chainloop deployment

As explained in the deployment guide, Open ID Connect configuration is done using the auth.oidc section of the values.yaml file.

Use the ClientID, Secret and URL from the previous step to configure the OIDC backend as shown below

auth:
  oidc:
    url: https://login.microsoftonline.com/[TENANT_ID]/v2.0
    clientID: [APP-CLIENT-ID]
    clientSecret: "[APP-CLIENT-SECRET]"

And deploy your Chainloop Control Plane with the update values to take effect.

Finally give it a try by running chainloop auth login and that's all! Your Chainloop users are now authenticated against your Active Directory tenant.