Skip to main content
Version: 96.1
Enterprise

Microsoft Entra ID

User authentication

Configuring Microsoft Entra ID (formerly Azure AD)

  • Open the Microsoft Entra admin center and select the directory to use for single sign-on.
  • Navigate to Entra ID > Enterprise applications
  • Click New applictaion and then Create your own application.
  • Pick a name for the Kpow instance that you are securing and select Integrate any other application you don't find in the gallery (Non-gallery) radio button.
  • You should now be in the dashboard for the Kpow application.
  • Go to Single sign on, select SAML as the single sign-on method.

Basic SAML configuration

  • Identifier (Entity ID): set this to a suitable name for the instance you are securing, e.g. Kpow-UAT-1.
  • Reply URL (Assertion Consumer Service URL): Your Kpow instance SAML URL, e.g: https://kpow.corp.com/saml
  • Leave the other fields blank

SAML signing certificate

Download the Federation Metadata XML file and (optionally) Certificate (Raw). Save these for later.

Integrate Kpow and Microsoft Entra ID SSO

Set the following environment variables and start Kpow.

AUTH_PROVIDER_TYPE=saml
SAML_RELYING_PARTY_IDENTIFIER=[Identifier (Entity ID)]
SAML_ACS_URL=[Reply URL (Assertion Consumer Service URL)]
SAML_METADATA_FILE=[path to downloaded Federation Metadata XML]

# Optional
SAML_CERT=[path to the Certificate (Raw) .pem file]

Kpow will now authenticate users with Microsoft Entra ID.

User authorization

See the guide to Role Based Access Control for full configuration details.

SAML integration

Kpow can integrate with your SAML IdP as a service provider.

Roles are defined in a Roles attribute in the SAMLResponse from your IdP.

If you would like to use a field other than the Roles attribute, you can extend the YAML configuration as follows:

saml:
  role_field: "Groups"

Now, Kpow will look to the Groups attribute for its basis of roles.

Configuration to Integrate Microsoft Entra ID and Kpow RBAC

  • Follow this Microsoft guide to populate user.assignedroles In your Enterprise Application, navigate to Single sign-on > Attributes & Claims > Edit:

  • Required Claim: Set Unique User Identifier (Name ID) to user.userprincipalname

  • Select Add new claim, set the Name to Roles, leave Namespace blank, and set the Source attribute to user.assignedroles

Assign users to roles

Navigate to Users and groups, select a user, click Edit assignment, and assign the appropriate role.

Note: Microsoft Entra ID does not pass the default role (User) as an assigned role in the SAMLResponse.