Skip to main content

Enable SSO using Active Directory

Prerequisites

  • Active Directory Federation Services (ADFS)
  • Penfield App is deployed in Kubernetes cluster

Create a new Application Group on ADFS for SSO

  1. On your AD Server, Go to the AD FS Management System.
  2. In the left navigation pane, click Application Groups.
  3. Right click on Application Groups and click Add Application Group.
  4. In the Add Application Group Wizard dialog, enter the following details:
    • For the name use Penfield SSO or anything else that follows your standard naming convention.
    • Description: Penfield SSO (Optional)
    • Select Server Application under the Standalone applications and click Next.
  5. Copy the Client Identifier value, you will need this value later on. Make sure to use your FQDN for the redirect URI.
    • Add Redirect URI https://<Replace-with-your-FQDN>>/public/self-service/methods/oidc/callback/generic and click Next.
  6. Choose Generate a shared secret and copy the secret and click Next.
  7. Click Next and click Close to close the Add Application Group Wizard dialog.

Update Penfield app configuration

  1. Make sure you have these values:

  2. Make sure you set the kubectl context to the right cluster. You can check the current context with kubectl config current-context and set the context with kubectl config use-context <context-name>

  3. Update the helm chart values.yaml file, Find the following block in kratos section and make sure the values are correct as below:

    enable SSO
    # Enable OIDC only if you use SSO
    oidc:
    enabled: true
    enable SSO
    ## Enable below config if you enable SSO
    deployment:
    extraEnv:
    - name: SELFSERVICE_METHODS_OIDC_CONFIG_PROVIDERS
    valueFrom:
    secretKeyRef:
    name: penfield-secrets
    key: oidcConfig
  4. Update the penfield-secrets:

    You can either update penfield-secrets using ArgoCD or kubectl directly patch the secret, depending on how you have initially deployed it.

    1. Update using ArgoCD: Added the below values to the existing penfield-secrets secret, You may need to encrypt the secret before updating if you are using secret manager. Do not forget to replace the client_id, client_secret and issuer_url with the ones from the previous step.

      update penfield-secrets
         data:
      oidcConfig: [{"id": "generic","provider": "generic","label": "AD SSO","client_id": "<update_client_id_value>","client_secret": "<update_client_secret_value>","issuer_url": "<ADFS server URL>","mapper_url": "base64://bG9jYWwgY2xhaW1zID0gc3RkLmV4dFZhcignY2xhaW1zJyk7CnsKICBpZGVudGl0eTogewogICAgdHJhaXRzOiB7CiAgICAgIGVtYWlsOiBjbGFpbXMucmF3X2NsYWltcy51cG4sCiAgICB9LAogICAgbWV0YWRhdGFfcHVibGljOiB7CiAgICAgIGNsYWltczogY2xhaW1zLnJhd19jbGFpbXMsCiAgICB9LAogIH0sCn0=","scope": ["openid","email","profile"]}]
    2. Update using kubectl:

      update penfield-secrets
         # Set your environment variables, use the values from the previous step

      export CLIENT_ID="replace-with-your-client-id"
      export CLIENT_SECRET="replace-with-your-client-secret"
      export ADFS_SERVER_URL="replace-with-your-adfs-server-url"

      # Patch the secret, run this command in your terminal

      kubectl patch secret penfield-secrets -n penfield-app -p='{"stringData":{"oidcConfig": "[{\"id\": \"generic\",\"provider\": \"generic\",\"label\": \"AD SSO\",\"client_id\": \"'"$CLIENT_ID"'\",\"client_secret\": \"'"$CLIENT_SECRET"'\",\"issuer_url\": \"'"$ADFS_SERVER_URL"'\",\"mapper_url\": \"base64://bG9jYWwgY2xhaW1zID0gc3RkLmV4dFZhcignY2xhaW1zJyk7CnsKICBpZGVudGl0eTogewogICAgdHJhaXRzOiB7CiAgICAgIGVtYWlsOiBjbGFpbXMucmF3X2NsYWltcy51cG4sCiAgICB9LAogICAgbWV0YWRhdGFfcHVibGljOiB7CiAgICAgIGNsYWltczogY2xhaW1zLnJhd19jbGFpbXMsCiAgICB9LAogIH0sCn0=\",\"scope\": [\"openid\",\"email\",\"profile\"]}]"}}'
  5. Update the deployment:

    If you are using ArgoCD, you can update the deployment by merging the changes to your version control.

    If you are using helm, you can update the deployment by running the following command:

    helm upgrade \
    --install penfield-app penfieldai/penfieldai \
    --namespace penfield-app \
    --values penfield-values.yaml