Skip to main content

Enable SSO

Create a new App registration on Azure for SSO

  1. Go to the Azure portal → Microsoft Entra ID.

  2. Make sure you are in the correct subscription.

  3. From Overview, expand Manage from the top navigation and click App registration.

  4. Register a new application by clicking New Registration:

    • For the name use Penfield SSO or anything else that follows your standard
    • For Supported account types, choose "Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)"
    • Under the Redirect URI (optional Select the Web application type using the dropdown menu
    • Provide the Redirect URI:https://<**FQDN for Penfield App**>/public/self-service/methods/oidc/callback/microsoft
    • Click Register.
      For reference:
  5. Go to Certificates & secrets and create a new client secret and copy the value of the client secret, you will need this value later on.

  6. Go to App roles , Create multiple roles as below by clicking on Create app role and click Apply.

    NOTE: Make sure the Value is in all lowercase.

    Display namesAllowed member typesValueDescription
    AdminUsers/GroupsadminAdmin role for Penfield App
    AnalystUsers/GroupsanalystAnalyst role for Penfield App
    AutomationUsers/GroupsautomationAutomation role for Penfield App
  7. Go to Overview tab and copy the followings, you will need these later:

    • Application (client) ID
    • Directory (tenant) ID

Update the Enterprise application

  1. Under Microsoft Entra ID, Select Enterprise applications.
  2. Search using the Application name that you set up above.
  3. Select the application.
  4. Expand the Manage section and choose Properties
  5. Toggle the Assignment required? to Yes.
  6. Save the configuration.
  7. Go to Users and Groups and Click Add user/group
  8. Select the appropriate users or group (However you want to manage, Recommendation is manage using groups) and corresponding role that you want to assign. You may want to create User Group in advance if you want to leverage groups.
  9. Once selected click on Assign
  10. Repeat above two steps for assigning multiple users/groups to corresponding roles.

Update Penfield app configuration (Kratos)

  1. Make sure you have these values: CLIENT_ID (Application ID) TENANT_ID (Directory ID) CLIENT_SECRET

  2. To enable SSO in penfield-app, run the below command from the root of Github repo that you have cloned previously and follow the instructions.

    enable SSO
    ./run.sh -c