This feature is supported in Ambassador Pro. Ambassador Pro helps developers and operators accelerate their adoption of Kubernetes.

Register here to get started with a free trial of Ambassador Pro.

Azure AD

Set up Azure AD

To use Azure as your IDP, you will first need to register an OAuth application with your Azure tenant.

  1. Follow the steps in the Azure documentation here to register your application. Make sure to select web application and not native application when creating your OAuth application.

  2. After you have registered your application, click on App Registrations in the navigation panel on the left and select the application you just created.

  3. Make a note of both the client and tenant IDs as these will be used later when configuring Ambassador Pro.

  4. Click on Authentication in the left sidebar.

  5. Under Redirect URIs at the top, add a Redirect URI with the type Web and set it to https://{{AMBASSADOR_URL}}/callback

    Note: Azure AD requires the redirect endpoint to handle TLS

  6. Under Advanced settings, make sure the application is issuing Access tokens by checking next to the box that says Access tokens

  7. Under Supported account types select whichever option fits your usecase

  8. Click on Certificates & secrets in the left sidebar. Click + New client secret and set the expiration date you wish. Copy the value of this secret somewhere. You will need it when configuring Ambassador.

Set up Ambassador

After configuring an OAuth application in Azure AD, configuring Ambassador to make use it for authentication is simple.

  1. Create an OAuth Filter with the credentials from above

    apiVersion: getambassador.io/v1beta2
    kind: Filter
    metadata:
      name: azure-ad
    spec:
      OAuth2:
        # Azure AD openid-configuration endpoint can be found at https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
        authorizationURL: https://login.microsoftonline.com/{{TENANT_ID}}/v2.0 
        # The clientURL is the scheme and Host of your Ambassador endpoint
        clientURL: https://{{AMBASSADOR_URL}}
        # Client ID from step 3 above
        clientID: CLIENT_ID
        # Secret created in step 5 above
        secret: CLIENT_SECRET
  2. Create a FilterPolicy to use the Filter created above

    apiVersion: getambassador.io/v1beta2
    kind: FilterPolicy
    metadata:
      name: azure-policy
    spec:
      rules:
          # Requires authentication on requests from any hostname
        - host: "*"
          # Tells Ambassador Pro to apply the Filter only on request to the /backend/get-quote/ endpoint from the tour application(https://www.getambassador.io/user-guide/getting-started#3-creating-your-first-service)
          path: /backend/get-quote/
          # Identifies which Filter to use for the path and hose above
          filters:
            - name: azure-ad
  3. Apply both the Filter and FilterPolicy above with kubectl

    kubectl apply -f azure-ad-filter.yaml
    kubectl apply -f azure-policy.yaml

Now any requests to https://{{AMBASSADOR_URL}}/backend/get-quote/ will require authentication from Azure AD.