Azure AD
Set up Azure AD
To use Azure as your IdP, you will first need to register an OAuth application with your Azure tenant.
Follow the steps in the Azure documentation here to register your application. Make sure to select "web application" (not native application) when creating your OAuth application.
After you have registered your application, click on
App Registrations
in the navigation panel on the left and select the application you just created.Make a note of both the client and tenant IDs as these will be used later when configuring Ambassador Edge Stack.
Click on
Authentication
in the left sidebar.Under
Redirect URIs
at the top, add aRedirect URI
with the typeWeb
and set it tohttps://{{AMBASSADOR_URL}}/.ambassador/oauth2/redirection-endpoint
Note: Azure AD requires the redirect endpoint to handle TLS
Under
Advanced settings
, make sure the application is issuingAccess tokens
by checking next to the box that saysAccess tokens
Under
Supported account types
select whichever option fits your use case
Click on
Certificates & secrets
in the left sidebar. Click+ New client secret
and set the expiration date you wish. Copy the value of this secret somewhere. You will need it when configuring Ambassador Edge Stack.
Set Up the Ambassador Edge Stack
After configuring an OAuth application in Azure AD, configuring Ambassador Edge Stack to make use of it for authentication is simple.
Create an OAuth Filter with the credentials from above:
apiVersion: getambassador.io/v2kind: Filtermetadata:name: azure-adspec:OAuth2:# Azure AD openid-configuration endpoint can be found at https://login.microsoftonline.com/common/v2.0/.well-known/openid-configurationauthorizationURL: https://login.microsoftonline.com/{{TENANT_ID}}/v2.0# The clientURL is the scheme and Host of your Ambassador endpointclientURL: https://{{AMBASSADOR_URL}}# Client ID from step 3 aboveclientID: CLIENT_ID# Secret created in step 5 abovesecret: CLIENT_SECRETCreate a FilterPolicy to use the
Filter
created aboveapiVersion: getambassador.io/v2kind: FilterPolicymetadata:name: azure-policyspec:rules:# Requires authentication on requests from any hostname- host: "*"# Tells Ambassador Edge Stack to apply the Filter only on request to the quote /backend/get-quote/ endpointpath: /backend/get-quote/# Identifies which Filter to use for the path and hose abovefilters:- name: azure-adApply both the
Filter
andFilterPolicy
above withkubectl
kubectl apply -f azure-ad-filter.yamlkubectl apply -f azure-policy.yaml
Now any requests to https://{{AMBASSADOR_URL}}/backend/get-quote/
will require authentication from Azure AD.
Questions?
We’re here to help. If you have questions, join our Slack or contact us.