docs(azuread): guide to use azuread as IdP for ZITADEL (#4101)
							
								
								
									
										89
									
								
								docs/docs/guides/integrate/azuread.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						| @@ -0,0 +1,89 @@ | ||||
| --- | ||||
| title: Connect with AzureAD | ||||
| --- | ||||
|  | ||||
| ## AzureAD Tenant as Identity Provider for ZITADEL | ||||
|  | ||||
| This guides shows you how to connect an AzureAD Tenant to ZITADEL. | ||||
|  | ||||
| :::info | ||||
| In ZITADEL you can connect an Identity Provider (IdP) like an AzureAD to your instance and provide it as default to all organizations or you can register the IdP to a specific organization only. This can also be done through your customers in a self-service fashion. | ||||
| ::: | ||||
|  | ||||
| ### Prerequisite | ||||
|  | ||||
| You need to have access to an AzureAD Tenant. If you do not yet have one follow [this guide from Microsoft](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-create-new-tenant) to create one for free. | ||||
|  | ||||
| ### AzureAD Configuration | ||||
|  | ||||
| #### Create a new Application | ||||
|  | ||||
| Browse to the [App registration menus create dialog](https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/CreateApplicationBlade/quickStartType~/null/isMSAApp~/false) to create a new app. | ||||
|  | ||||
|  | ||||
|  | ||||
| :::info | ||||
| Mare sure to select `web` as application type in the `Redirect URI (optional)` section. | ||||
| You can leave the second field empty since we will change this in the next step. | ||||
| ::: | ||||
|  | ||||
|  | ||||
|  | ||||
| #### Configure Redirect URIS | ||||
|  | ||||
| For this to work you need to whitelist the redirect URIs from your ZITADEL Instance. | ||||
| In this example our test instance has the domain `test-qcon0h.zitadel.cloud`. In this case we need to whitelist these two entries: | ||||
|  | ||||
| - `https://test-qcon0h.zitadel.cloud/ui/login/register/externalidp/callback` | ||||
| - `https://test-qcon0h.zitadel.cloud/ui/login/login/externalidp/callback` | ||||
|  | ||||
| :::info | ||||
| To adapt this for you setup just replace the domain | ||||
| ::: | ||||
|  | ||||
|  | ||||
|  | ||||
| #### Create Client Secret | ||||
|  | ||||
| To allow your ZITADEL to communicate with the AzureAD you need to create a Secret | ||||
|  | ||||
|  | ||||
|  | ||||
| :::info | ||||
| Please save this for the later configuration of ZITADEL | ||||
| ::: | ||||
|  | ||||
| #### Configure ID Token Claims | ||||
|  | ||||
|  | ||||
|  | ||||
| ### ZITADEL Configuration | ||||
|  | ||||
| #### Create IdP | ||||
|  | ||||
| Use the values displayed on the AzureAD Application page in your ZITADEL IdP Settings. | ||||
|  | ||||
| - You can find the `issuer` for ZITADEL of your AzureAD Tenant in the `Endpoints submenu` | ||||
| - The `Client ID` of ZITADEL corresponds to the `Application (client) ID` | ||||
| - The `Client Secret` was generated during the `Create Client Secret` step | ||||
|  | ||||
|  | ||||
|  | ||||
|  | ||||
|  | ||||
| #### Activate IdP | ||||
|  | ||||
| Once you created the IdP you need to activate it, to make it usable for your users. | ||||
|  | ||||
|  | ||||
|  | ||||
|  | ||||
|  | ||||
| ### Test the setup | ||||
|  | ||||
| To test the setup use a incognito mode and browse to your login page.  | ||||
| If you succeeded you should see a new button which should redirect you to your AzureAD Tenant. | ||||
|  | ||||
|  | ||||
|  | ||||
|  | ||||
| @@ -97,7 +97,7 @@ ZITADEL will show a set of identity providers by default. This configuration can | ||||
|  | ||||
| An organization's login settings will be shown  | ||||
|  | ||||
| - as soon as the user has entered the loginname and ZITADEL can identitfy to which organization he belongs; or | ||||
| - as soon as the user has entered the loginname and ZITADEL can identify to which organization he belongs; or | ||||
| - by sending a primary domain scope. | ||||
| To get your own configuration you will have to send the [primary domain scope](../../apis/openidoauth/scopes#reserved-scopes) in your [authorization request](../../guides/integrate/login-users#auth-request) . | ||||
| The primary domain scope will restrict the login to your organization, so only users of your own organization will be able to login, also your branding and policies will trigger. | ||||
|   | ||||
| @@ -119,6 +119,7 @@ module.exports = { | ||||
|         "guides/integrate/access-zitadel-apis", | ||||
|         "guides/integrate/authenticated-mongodb-charts", | ||||
|         "guides/integrate/auth0", | ||||
|         "guides/integrate/azuread", | ||||
|         "guides/integrate/gitlab-self-hosted", | ||||
|         "guides/integrate/login-users", | ||||
|         "guides/integrate/serviceusers", | ||||
|   | ||||
							
								
								
									
										
											BIN
										
									
								
								docs/static/img/guides/azure_app.png
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						| After Width: | Height: | Size: 153 KiB | 
							
								
								
									
										
											BIN
										
									
								
								docs/static/img/guides/azure_app_redirects.png
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						| After Width: | Height: | Size: 127 KiB | 
							
								
								
									
										
											BIN
										
									
								
								docs/static/img/guides/azure_app_register.png
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						| After Width: | Height: | Size: 85 KiB | 
							
								
								
									
										
											BIN
										
									
								
								docs/static/img/guides/azure_app_secrets.png
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						| After Width: | Height: | Size: 97 KiB | 
							
								
								
									
										
											BIN
										
									
								
								docs/static/img/guides/azure_app_token.png
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						| After Width: | Height: | Size: 136 KiB | 
							
								
								
									
										
											BIN
										
									
								
								docs/static/img/guides/azure_login.png
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						| After Width: | Height: | Size: 444 KiB | 
							
								
								
									
										
											BIN
										
									
								
								docs/static/img/guides/azure_zitadel_activate.png
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						| After Width: | Height: | Size: 22 KiB | 
							
								
								
									
										
											BIN
										
									
								
								docs/static/img/guides/azure_zitadel_active.png
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						| After Width: | Height: | Size: 20 KiB | 
							
								
								
									
										
											BIN
										
									
								
								docs/static/img/guides/azure_zitadel_button.png
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						| After Width: | Height: | Size: 53 KiB | 
							
								
								
									
										
											BIN
										
									
								
								docs/static/img/guides/azure_zitadel_settings.png
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						| After Width: | Height: | Size: 119 KiB | 
 Florian Forster
					Florian Forster