From 76785e7bd0c28412a18dfb54dd4503147fb7be44 Mon Sep 17 00:00:00 2001 From: hamza-m-masood Date: Tue, 17 Dec 2024 12:20:41 +0000 Subject: [PATCH] oidc addition --- .../operational-guides/production-guide.md | 44 ++++++++++++++++++- 1 file changed, 43 insertions(+), 1 deletion(-) diff --git a/docs/self-managed/operational-guides/production-guide.md b/docs/self-managed/operational-guides/production-guide.md index b5e321453a..07cd934706 100644 --- a/docs/self-managed/operational-guides/production-guide.md +++ b/docs/self-managed/operational-guides/production-guide.md @@ -78,7 +78,7 @@ The following secionts will help you fill out the content for `my-values.yaml`: ### Ingress TLS and Hostname setup for HTTPS Connections -In order to access the Camunda Platform through HTTPS ingress, you have to enable TLS. To do that, you require three things: +In order to access the Camunda Platform through HTTPS with ingress, you have to enable TLS. To do that, you require three things: 1. A public registered domain that has configurable DNS records. In our example we will use `camunda.example.com` as the domain. 2. A TLS certificate created from your domain. The certificate must be an X.509 certificate, issued by a trusted Certificate Authority. Also, the certificate must include the correct domain names (Common Name or Subject Alternative Names) to secure ingress resources. Please reach out to your DNS provider if you are unsure on how to create a TLS certificate. It is not recommended to use self-signed certificates. @@ -113,6 +113,48 @@ For more information on the Ingress setup, please refer to our [ingress setup gu ### Integrate with an Identity Provider (Azure Active Directory) +Once secure HTTPS connections are enabled and correctly configured via Ingress, the next stage to consider is configuring authentication. In this example, we will use Azure Active Directory. Here is the values.yaml configuration: + +```yaml +global: + identity: + auth: + type: "MICROSOFT" + issuer: "https://login.microsoftonline.com/abc/v2.0" + issuerBackendUrl: "https://login.microsoftonline.com/abc/v2.0" + tokenUrl: "https://login.microsoftonline.com/abc/oauth2/v2.0/token" + jwksUrl: "https://login.microsoftonline.com/abc/discovery/v2.0/keys" + identity: + clientId: "111" + existingSecret: "password-string-literal" + audience: "abc111" + redirectUrl: "https://identity.camunda.example.com" + initialClaimName: "email" + initialClaimValue: test.user@camunda.com + optimize: + clientId: "222" + existingSecret: "password-string-literal" + audience: "abc222" + redirectUrl: "https://optimize.camunda.example.com" + core: + clientId: "333" + existingSecret: "password-string-literal" + audience: "abc333" + tokenScope: "abc333/.default" + redirectUrl: "https://core.camunda.example.com" + console: + clientId: "444" + audience: "abc444" + wellKnown: https://login.microsoftonline.com/abc/v2.0/.well-known/openid-configuration + existingSecret: "password-string-literal" + redirectUrl: "https://console.camunda.example.com" + webModeler: + clientId: "555" + clientApiAudience: "abc555" + publicApiAudience: "abc555" + redirectUrl: "https://modeler.camunda.example.com" +``` + Please refer to the following guides: - [Connect to an OpenID Connect provider](http://localhost:3000/docs/next/self-managed/setup/guides/connect-to-an-oidc-provider/)