-
Notifications
You must be signed in to change notification settings - Fork 785
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(auth): azure ad + permissions + multiple fixes in UI (#2429)
- Loading branch information
Showing
76 changed files
with
2,243 additions
and
840 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,202 @@ | ||
--- | ||
title: "Azure AD Authentication" | ||
--- | ||
|
||
<Tip> | ||
This feature is a part of Keep Enterprise. | ||
|
||
Talk to us to get access: https://www.keephq.dev/meet-keep | ||
</Tip> | ||
|
||
Keep supports enterprise authentication through Azure Active Directory (Azure AD), enabling organizations to use their existing Microsoft identity platform for secure access management. | ||
|
||
## When to Use | ||
|
||
- **Microsoft Environment:** If your organization uses Microsoft 365 or Azure services, Azure AD integration provides seamless authentication. | ||
- **Enterprise SSO:** Leverage Azure AD's Single Sign-On capabilities for unified access management. | ||
|
||
## Setup Instructions (on Azure AD) | ||
|
||
### Creating an Azure AD Application | ||
|
||
1. Sign in to the [Azure Portal](https://portal.azure.com) | ||
2. Navigate to **Microsoft Entra ID** > **App registrations** > **New registration** | ||
|
||
<Frame> | ||
<img src="/images/azuread_1.png" width="1000" alt="Azure AD App Registration"/> | ||
</Frame> | ||
|
||
3. Configure the application: | ||
- Name: "Keep" | ||
|
||
<Info>Note that we are using "Register an application to integrate with Microsoft Entra ID (App you're developing)" since you're self-hosting Keep and need direct control over the authentication flow and permissions for your specific instance - unlike the cloud/managed version where Keep's team has already configured a centralized application registration.</Info> | ||
|
||
<Frame> | ||
<img src="/images/azuread_2.png" width="1000" alt="Azure AD App Registration"/> | ||
</Frame> | ||
|
||
4. Configure the application (continue) | ||
- Supported account types: "Single tenant" | ||
|
||
<Info> | ||
We recommend using "Single tenant" for enhanced security as it restricts access to users within your organization only. While multi-tenant configuration is possible, it would allow users from any Azure AD directory to access your Keep instance, which could pose security risks unless you have specific cross-organization requirements. | ||
</Info> | ||
|
||
- Redirect URI: "Web" + your redirect URI | ||
|
||
<Info> | ||
We use "Web" platform instead of "Single Page Application (SPA)" because Keep's backend handles the authentication flow using client credentials/secrets, which is more secure than the implicit flow used in SPAs. This prevents exposure of tokens in the browser and provides stronger security through server-side token validation and refresh token handling. | ||
</Info> | ||
|
||
<Tip> | ||
For localhost, the redirect would be http://localhost:3000/api/auth/callback/azure-ad | ||
|
||
For production, it should be something like http://your_keep_frontend_domain/api/auth/callback/azure-ad | ||
|
||
</Tip> | ||
|
||
<Frame> | ||
<img src="/images/azuread_3.png" width="1000" alt="Azure AD App Registration"/> | ||
</Frame> | ||
|
||
5. Finally, click "register" | ||
|
||
### Configure Authentication | ||
After we created the application, let's configure the authentication. | ||
|
||
1. Go to "App Registrations" -> "All applications" | ||
|
||
<Frame> | ||
<img src="/images/azuread_4.png" width="1000" alt="Azure AD Authentication Configuration"/> | ||
</Frame> | ||
|
||
|
||
2. Click on your application -> "Add a certificate or secret" | ||
|
||
<Frame> | ||
<img src="/images/azuread_5.png" width="1000" alt="Azure AD Authentication Configuration"/> | ||
</Frame> | ||
|
||
|
||
3. Click on "New client secret" and give it a name | ||
|
||
<Frame> | ||
<img src="/images/azuread_6.png" width="1000" alt="Azure AD Authentication Configuration"/> | ||
</Frame> | ||
|
||
4. Keep the "Value", we will use it soon as `KEEP_AZUREAD_CLIENT_SECRET` | ||
|
||
<Frame> | ||
<img src="/images/azuread_7.png" width="1000" alt="Azure AD Authentication Configuration"/> | ||
</Frame> | ||
|
||
### Configure Groups | ||
|
||
Keep maps Azure AD groups to roles with two default groups: | ||
1. Admin Group (read + write) | ||
2. NOC Group (read only) | ||
|
||
To create those groups, go to Groups -> All groups and create two groups: | ||
|
||
<Frame> | ||
<img src="/images/azuread_16.png" width="1000" alt="Azure AD Authentication Configuration"/> | ||
</Frame> | ||
|
||
Keep the Object id of these groups and use it as `KEEP_AZUREAD_ADMIN_GROUP_ID` and `KEEP_AZUREAD_NOC_GROUP_ID`. | ||
|
||
### Configure Group Claims | ||
|
||
1. Navigate to **Token configuration** | ||
|
||
<Frame> | ||
<img src="/images/azuread_8.png" width="1000" alt="Azure AD Authentication Configuration"/> | ||
</Frame> | ||
|
||
|
||
2. Add groups claim: | ||
- Select "Security groups" and "Groups assigned to the application" | ||
- Choose "Group ID" as the claim value | ||
|
||
<Frame> | ||
<img src="/images/azuread_9.png" width="1000" alt="Azure AD Authentication Configuration"/> | ||
</Frame> | ||
|
||
|
||
<Frame> | ||
<img src="/images/azuread_10.png" width="1000" alt="Azure AD Authentication Configuration"/> | ||
</Frame> | ||
|
||
### Configure Application Scopes | ||
|
||
1. Go to "Expose an API" and click on "Add a scope" | ||
|
||
<Frame> | ||
<img src="/images/azuread_11.png" width="1000" alt="Azure AD Authentication Configuration"/> | ||
</Frame> | ||
|
||
2. Keep the default Application ID and click "Save and continue" | ||
|
||
<Frame> | ||
<img src="/images/azuread_12.png" width="1000" alt="Azure AD Authentication Configuration"/> | ||
</Frame> | ||
|
||
3. Add "default" as scope name, also give a display name and description | ||
|
||
<Frame> | ||
<img src="/images/azuread_13.png" width="1000" alt="Azure AD Authentication Configuration"/> | ||
</Frame> | ||
|
||
3. Finally, click "Add scope" | ||
|
||
<Frame> | ||
<img src="/images/azuread_14.png" width="1000" alt="Azure AD Authentication Configuration"/> | ||
</Frame> | ||
|
||
## Setup Instructions (on Keep) | ||
|
||
After you configured Azure AD you should have the following: | ||
1. Azure AD Tenant ID | ||
2. Azure AD Client ID | ||
|
||
How to get: | ||
|
||
<Frame> | ||
<img src="/images/azuread_15.png" width="1000" alt="Azure AD Authentication Configuration"/> | ||
</Frame> | ||
|
||
3. Azure AD Client Secret [See Configure Authentication](#configure-authentication). | ||
4. Azure AD Group ID's for Admins and NOC (read only) [See Configure Groups](#configure-groups). | ||
|
||
|
||
### Configuration | ||
|
||
#### Frontend | ||
|
||
| Environment Variable | Description | Required | Default Value | | ||
|--------------------|-------------|:---------:|:-------------:| | ||
| AUTH_TYPE | Set to 'AZUREAD' for Azure AD authentication | Yes | - | | ||
| KEEP_AZUREAD_CLIENT_ID | Your Azure AD application (client) ID | Yes | - | | ||
| KEEP_AZUREAD_CLIENT_SECRET | Your client secret | Yes | - | | ||
| KEEP_AZUREAD_TENANT_ID | Your Azure AD tenant ID | Yes | - | | ||
| NEXTAUTH_URL | Your Keep application URL | Yes | - | | ||
| NEXTAUTH_SECRET | Random string for NextAuth.js | Yes | - | | ||
|
||
#### Backend | ||
|
||
| Environment Variable | Description | Required | Default Value | | ||
|--------------------|-------------|:---------:|:-------------:| | ||
| AUTH_TYPE | Set to 'AZUREAD' for Azure AD authentication | Yes | - | | ||
| KEEP_AZUREAD_TENANT_ID | Your Azure AD tenant ID | Yes | - | | ||
| KEEP_AZUREAD_CLIENT_ID | Your Azure AD application (client) ID | Yes | - | | ||
| KEEP_AZUREAD_ADMIN_GROUP_ID | The group ID of Keep Admins (read write) | Yes | - | | ||
| KEEP_AZUREAD_NOC_GROUP_ID | The group ID of Keep NOC (read only) | Yes | - | | ||
|
||
## Features and Limitations | ||
|
||
#### Supported Features | ||
- Single Sign-On (SSO) | ||
- Role-based access control through Azure AD groups | ||
- Multi-factor authentication (when configured in Azure AD) | ||
|
||
#### Limitations | ||
See [Overview](/deployment/authentication/overview) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Empty file.
Oops, something went wrong.