SSO with Azure AD


(Aditi chalke) #1

We need to add the App roles which requires a unique ID from Octopus server.

For e.g : we are creating 2 roles user and Admin. Below is the syntax where in unique guid is required for the specified role in manifest. Let me know where I can find this values.

“id”: “NEWGUID1”,
“allowedMemberTypes”: [“User”],
“description”: “Octopus Administrators”,
“displayName”: “Octopus Admins”,
“isEnabled”: true,
“value”: “octopusAdmins”

          "id": "NEWGUID2",
          "allowedMemberTypes": ["User"],
          "description": "Octopus Testers",
          "displayName": "Octopus Testers",
          "isEnabled": true,
          "value": "octopusTesters"

(Jim Burger) #2

Hi @aditichalke

Thanks for getting in touch with us regarding Azure AD integration. I can see that you are likely to be following the advice in this article: https://octopus.com/docs/administration/authentication/authentication-providers/azure-ad-authentication

You should just be able to generate your own GUID using powershell like this (or any other guid generator you want to use)

C:\> New-Guid

Guid
----
d5a4951d-bec7-4860-806a-22b0d1e787ed

As per the docs, the important value to align with Octopus, is the value property: that must line up with the value you use when adding the external group to the Team in Octopus configuration.

Hope this helps!

Jim


(Aditi chalke) #3

Thanks Jim. Is this powershell need to be run from Octopus server. Is this role need to be present on octopus server?

If we do not create this roles , by default I do see a role name “default Access” on azure portal while adding users from Azure AD. I select this role & add AD groups to this role, what type of access they will get.

With the default access role selected from azure portal, can we control users & Admin role access from Octopus management console.


(Jim Burger) #4

Hi @aditichalke

Hopefully I can answer your questions below.

Is this powershell need to be run from Octopus server.

Generating a GUID can be done from any location, because they are Globally Unique. The example I gave is a standard powershell command. Older versions of powershell may require the use of a different syntax [guid]::NewGuid() which is just a direct call to the method of the underlying .NET type.

Is this role need to be present on octopus server? If we do not create this roles , by default I do see a role name “default Access” on azure portal while adding users from Azure AD.

You definitely need to create a new App Role in Azure.

First, you’ll create a new role in the Azure portal, using the manifest, as you have done, giving it your brand new GUID, and value of octopusTesters (as an example)

Later, you’ll link that AAD Role, to a Team in Octopus, using octopusTesters as the RoleID, here

image

From the docs:

The value property is the most important one. This value becomes the external Role ID you will use later on when adding this role to a Team in Octopus Deploy.

You only need to all of this, if you want to connect Azure AD with Octopus teams. You can opt not to do this at all, in which case, users will simply authenticate with Azure AD instead and would not be mapped into an Octopus Team automatically.

what type of access they will get.

The permissions they will have inside of Octopus, depends on the team they have been added into. If you have an Octopus Testers team, mapped to an AAD Role called octopusTesters, then any users in that AAD Role will take on the permissions of the Octopus Testers team.

This is controlled via User Roles and adding those to the team.

Hopefully I am helping to clarify, let me know if there is more information I can help you with here.

Kind regards,


(Aditi chalke) #5

Hi Jim,

Thanks for the explanation. However I do not see option Add external group/Role under members section for teams on Octopus console.

As you mentioned I can still go ahead & add users on azure portal with Default access Role, which in term will grant user access to Octopus but Admin has to add the user in team which has local roles added to it to get access to projects assign to those teams.


(Aditi chalke) #6

Hi Jim,

I am going to do SSO activity by tomorrow Friday at 3 PM EST. Do you provide any support if something goes wrong during SSO integration.


(Jim Burger) #7

Hi there @aditichalke,

Thanks for letting me know you can’t see that option. What version of Octopus Deploy are you running there? That might explain why you don’t see the ‘Add External Role’ button - normally it is on the Team page.

image

Do you provide any support if something goes wrong during SSO integration.

If you do run into specific issues, reach out to us here or support@octopus.com - we try our best to respond within 24 hours.

We don’t have anyone available to be on call for such an event, most of us are based in Australia, for example your Friday 3pm is my 6am on Saturday.

My advice here is to have a rollback plan, and if possible test your scenario in a test environment first. If think you may need faster response times on your support queries you’ll be better suited to do something like this late on your Tuesday or Wednesday, (your 5pm is closer to the start of our day)

We also have a series of partners who know our product really well that can provide consultation services, if you need somebody on site, or on call: https://octopus.com/company/partners

You can also join our community slack channel for help from others in the community around the world https://octopus.com/slack and our international staff, hang out there too - though there are no guarantees to support being provided there, but it is worth joining up and getting involved!

Hope this helps,

Jim


(Aditi chalke) #8

Hi Jim,

We are version 2.0. I can reschedule it to later hours Tuesday or Wednesday so that I can get the response from you. let me know with this version I can go ahead & do the AAD integration.

2.0
2018-04-05
2019-07-08
Unlimited
100
Unlimited
Unlimited</NodeLimit


(Aditi chalke) #9

Octopus Version : 2018.6.15.0

Question :

  1. After SSO, how users are going to get notified about the logon method. Is this we have to notify users before the activity or there is a automated email goes to users about the SSO logon enablement after we enable this feature in Octopus
  2. If SSO is not working for some reason , can we revert back & disable AAD integration from Configuration ➜ Settings ➜ Azure AD. after disabling this, will user still be able to login with their old username & password.

(Jim Burger) #10

Hi @aditichalke,

Thanks for letting me know what version you are on, the ‘Add External Role’ button should be present for your version, once you’ve enabled the provider.

To answer your questions, you’ll need to notify users that they can use the login buttons for Active Directory, we don’t do any automatic emails. You should be fine to revert back - the users will not be removed from Octopus Server.

All the best for your SSO integration!