Skip to content

Commit

Permalink
docs: identity mapper
Browse files Browse the repository at this point in the history
  • Loading branch information
@adityathebe
adityathebe committed Oct 2, 2024
1 parent 9cd8f93 commit 45620e7
Showing 1 changed file with 32 additions and 11 deletions.
43 changes: 32 additions & 11 deletions mission-control/docs/installation/self-hosted/oidc.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,15 +5,14 @@ slug: sso

import Properties from '../_properties.mdx'

Mission Control uses [kratos](https://www.ory.sh/kratos/) for identity management. Login via email/password is the default flow but any OIDC provider supported by Kratos can be used
Mission Control uses [kratos](https://www.ory.sh/kratos/) for identity management. Login via email/password is the default flow but any OIDC provider supported by Kratos can be used.

Check failure on line 8 in mission-control/docs/installation/self-hosted/oidc.mdx

View workflow job for this annotation

GitHub Actions / vale

[vale] mission-control/docs/installation/self-hosted/oidc.mdx#L8 

[Flanksource.Spelling] Is 'kratos' spelled correctly? Is it missing code formatting?
Raw output 
{"message": "[Flanksource.Spelling] Is 'kratos' spelled correctly? Is it missing code formatting?", "location": {"path": "mission-control/docs/installation/self-hosted/oidc.mdx", "range": {"start": {"line": 8, "column": 23}}}, "severity": "ERROR"}

See [Providers](https://www.ory.sh/docs/kratos/social-signin/overview) more details on supported providers.

<Properties section="authentication"/>

## Microsoft Entra (Azure AD)

Check failure on line 14 in mission-control/docs/installation/self-hosted/oidc.mdx

View workflow job for this annotation

GitHub Actions / vale

[vale] mission-control/docs/installation/self-hosted/oidc.mdx#L14 

[Flanksource.Spelling] Is 'Entra' spelled correctly? Is it missing code formatting?
Raw output 
{"message": "[Flanksource.Spelling] Is 'Entra' spelled correctly? Is it missing code formatting?", "location": {"path": "mission-control/docs/installation/self-hosted/oidc.mdx", "range": {"start": {"line": 14, "column": 14}}}, "severity": "ERROR"}


1. Create a new Azure Entra App Registration

Check failure on line 16 in mission-control/docs/installation/self-hosted/oidc.mdx

View workflow job for this annotation

GitHub Actions / vale

[vale] mission-control/docs/installation/self-hosted/oidc.mdx#L16 

[Flanksource.Spelling] Is 'Entra' spelled correctly? Is it missing code formatting?
Raw output 
{"message": "[Flanksource.Spelling] Is 'Entra' spelled correctly? Is it missing code formatting?", "location": {"path": "mission-control/docs/installation/self-hosted/oidc.mdx", "range": {"start": {"line": 16, "column": 23}}}, "severity": "ERROR"}
* Add a new app from [Azure AD App Registration](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps)
* Record the `Client ID` (Application ID) in the Overview page
Expand All @@ -24,11 +23,9 @@ See [Providers](https://www.ory.sh/docs/kratos/social-signin/overview) more deta
* Certificates & Secrets
* Create a new `client secret`

2. Get The Tenant ID
Get the `Tenant ID` (Directory ID) from [Directories](https://portal.azure.com/#settings/directory)
2. Get the `Tenant ID` (Directory ID) from [Directories](https://portal.azure.com/#settings/directory)

3. Create a JSONNET claims mapper
Jsonnet is used to [map](https://www.ory.sh/docs/kratos/social-signin/data-mapping) the claims provided by Azure AD, to the Kratos [Identity Schema](https://github.com/flanksource/mission-control-chart/blob/main/chart/files/kratos-identity-schema.json)
3. Create a JSONNET claims mapper. Jsonnet is used to [map](https://www.ory.sh/docs/kratos/social-signin/data-mapping) the claims provided by Azure AD, to the Kratos [Identity Schema](https://github.com/flanksource/mission-control-chart/blob/main/chart/files/kratos-identity-schema.json)

Check failure on line 28 in mission-control/docs/installation/self-hosted/oidc.mdx

View workflow job for this annotation

GitHub Actions / vale

[vale] mission-control/docs/installation/self-hosted/oidc.mdx#L28 

[Flanksource.Spelling] Is 'Jsonnet' spelled correctly? Is it missing code formatting?
Raw output 
{"message": "[Flanksource.Spelling] Is 'Jsonnet' spelled correctly? Is it missing code formatting?", "location": {"path": "mission-control/docs/installation/self-hosted/oidc.mdx", "range": {"start": {"line": 28, "column": 36}}}, "severity": "ERROR"}

```javascript
local claims = std.extVar('claims');
Expand All @@ -40,7 +37,7 @@ See [Providers](https://www.ory.sh/docs/kratos/social-signin/overview) more deta
[if 'family_name' in claims then 'last' else null]: claims.family_name,
},

[if 'raw_claims' in claims &&
[if 'raw_claims' in claims &&
'groups' in claims.raw_claims then 'groups' else null]: claims.raw_claims.groups,

[if 'preferred_username' in claims then 'email' else null]: claims.preferred_username,
Expand All @@ -51,9 +48,7 @@ See [Providers](https://www.ory.sh/docs/kratos/social-signin/overview) more deta
```
See [MS Entra ID Tokens](https://learn.microsoft.com/en-us/entra/identity-platform/id-token-claims-reference)

Check failure on line 49 in mission-control/docs/installation/self-hosted/oidc.mdx

View workflow job for this annotation

GitHub Actions / vale

[vale] mission-control/docs/installation/self-hosted/oidc.mdx#L49 

[Flanksource.Spelling] Is 'Entra' spelled correctly? Is it missing code formatting?
Raw output 
{"message": "[Flanksource.Spelling] Is 'Entra' spelled correctly? Is it missing code formatting?", "location": {"path": "mission-control/docs/installation/self-hosted/oidc.mdx", "range": {"start": {"line": 49, "column": 13}}}, "severity": "ERROR"}

4. Update the helm values

Create the `mapper_url` by Base64 encoding the jsonnet file and prefixing it with `base64://`
4. Update the helm values. Create the `mapper_url` by Base64 encoding the jsonnet file and prefixing it with `base64://`

Check failure on line 51 in mission-control/docs/installation/self-hosted/oidc.mdx

View workflow job for this annotation

GitHub Actions / vale

[vale] mission-control/docs/installation/self-hosted/oidc.mdx#L51 

[Flanksource.Spelling] Is 'jsonnet' spelled correctly? Is it missing code formatting?
Raw output 
{"message": "[Flanksource.Spelling] Is 'jsonnet' spelled correctly? Is it missing code formatting?", "location": {"path": "mission-control/docs/installation/self-hosted/oidc.mdx", "range": {"start": {"line": 51, "column": 75}}}, "severity": "ERROR"}

```yaml title="values.yaml"
kratos:
Expand All @@ -68,11 +63,37 @@ See [Providers](https://www.ory.sh/docs/kratos/social-signin/overview) more deta
microsoft_tenant: # The Azure AD Tenant Id
client_id: #...
client_secret: #...
mapper_url: base64:// #base64 encoded mapper_url
mapper_url: base64:// #base64 encoded jsonnet schema
scope:
- email
- openid
- profile
```
<p/>

5. Optionally, create a cel expression to map identities from the OIDC provider to a mission control role & team.
_Example_: the following script maps all Azure users in the "SRE" group to the "admin" role & everyone else to a "viewer" role.

```yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: azure-identity-mapper
data:
script: >
{
"role": "sre" in identity.traits.groups ? "admin": "viewer"
}
```
<p/>

The cel expression is expected to return an object with a `role` & a `teams[]` fields.

6. Supply the identity mapper script to mission control.

```yaml title="values.yaml"
identityRoleMapper:
configMap:
name: "azure-identity-mapper"
key: "script"
```

0 comments on commit 45620e7

Please sign in to comment.