Skip to main content
Chainloop authentication backend is delegated to an OpenID Connect (OIDC) compatible Identity Provider (IdP) such as Google, GitHub, Auth0 or Azure Active Directory. This guide will show you how to configure your Chainloop instance to run authentication over Azure Active Directory. The process comprises two steps:
  1. Register a new App in your Azure Active Directory tenant
  2. Configure Chainloop deployment with the new OIDC settings

Register a new App

In your Azure console go to App registrations and click on New registration. Register a new App Fill out a descriptive name and your custom callback URL that should point to your instance of Chainloop control plane. Register a new App Once done, take note of the generated Application (client) ID and the tenant ID. Register a new App

Create a new client secret

Next Create a new client secret and copy the generated value by clicking on “Certificate & secrets” > “New client secret” Register a new App Once done, copy the “value” which will be used as the clientSecret in the next step. Register a new App

Setup ODIC claims

Finally, we need to configure the OIDC claims that Chainloop will use to show information about the user. Specifically, we need to set the given_name and family_name claims. This option can be found in the Token configuration section of your app registration. Choose ODIC Claims

(Optional) Enable automatic provisioning of user roles and groups

Enable automatic provisioning of user roles and groups by following the Automatic provisioning of user roles and groups guide.

Configure Chainloop deployment

As explained in the deployment guide, Open ID Connect configuration is done using the auth.oidc section of the values.yaml file. Use the ClientID, Secret and URL from the previous step to configure the OIDC backend as shown below 
auth:
  oidc:
    url: https://login.microsoftonline.com/[TENANT_ID]/v2.0
    clientID: [APP-CLIENT-ID]
    clientSecret: "[APP-CLIENT-SECRET]"
And deploy your Chainloop Control Plane with the update values to take effect. Finally give it a try by running chainloop auth login and that’s all! Your Chainloop users are now authenticated against your Active Directory tenant.