Use Active Directory as Single Sign-On provider
Chainloop authentication backend is delegated to an OpenID Connect (OIDC) compatible Identity Provider (IdP) such as Google, GitHub, Auth0 or Azure Active Directory.
This guide will show you how to configure your Chainloop instance to run authentication over Azure Active Directory.
The process comprises two steps:
- Register a new App in your Azure Active Directory tenant
- Configure Chainloop deployment with the new OIDC settings
Register a new App
In your Azure console go to App registrations and click on New registration.
Fill out a descriptive name and your custom callback URL that should point to your instance of Chainloop control plane.
Once done, take note of the generated Application (client) ID and the tenant ID.
Create a new client secret
Next Create a new client secret and copy the generated value by clicking on “Certificate & secrets” > “New client secret”
Once done, copy the “value” which will be used as the clientSecret in the next step.
Setup ODIC claims
Finally, we need to configure the OIDC claims that Chainloop will use to show information about the user. Specifically, we need to set the given_name and family_name claims.
This option can be found in the Token configuration section of your app registration.
(Optional) Enable automatic provisioning of user roles and groups
Enable automatic provisioning of user roles and groups by following the Automatic provisioning of user roles and groups guide.
Configure Chainloop deployment
As explained in the deployment guide, Open ID Connect configuration is done using the auth.oidc section of the values.yaml file.
Use the ClientID, Secret and URL from the previous step to configure the OIDC backend as shown below
And deploy your Chainloop Control Plane with the update values to take effect.
Finally give it a try by running chainloop auth login and that’s all! Your Chainloop users are now authenticated against your Active Directory tenant.