Integrating Azure into the meshStack means that the user and project management gets simplified by a unified replication over all available cloud platforms. The users will be able to access their assigned Azure resources via a Single Sign On (SSO) service provided by meshStack.
The usual procedure to realize a SSO at Azure is to synchronize a local Active Directory (AD) to Azure. This is done by using Azure Active Directory Connect (AD Connect). But in this scenario realizing a multi cloud approach is hard. Therefore we follow a different path and use our external Identity Provider to grant access to Azure. By doing this we are able to seamless integrate every workflow.
To enable integration with Azure, operators deploy and configure the meshStack Azure Replicator. Operators can configure one or multiple
PlatformType.Azure. This makes Azure available to meshProjects like any other cloud platform in meshStack.
If configured correctly the meshStack entities are mapped as described in the following table:
|meshCustomer||Account, but the Account can currently contain multiple customer projects.|
Currently all meshProjects are mapped to a single Subscription per
PlatformInstance. This is subject to change as we extend the Azure support.
The meshIdB provides SSO to Azure via SAML. The use of an external IDP in combination with Azure is documented by Microsoft.
Deleting a meshUser from the project is currently (begin of February 2019) not yet implemented.
In order to integrate with meshStack Identity Federation, operators need to configure the Meshstack Identity Broker as an federated SAML IDP using the following steps. The steps are based on the provided documentation from Microsoft, but some steps are misleading and/or incomplete. So stick to the steps in this document and refer to the official documentation if additional information is needed.
- Create a new SAML Client as described in the official documentation. It is possible to use the Azure SAML Metadate file as starting point. Please check if the signature algorithm is set to SHA-1 after the import.
- Add a mapper which will map the
azure-emailuser attribute to
In order to start the setup please make sure the following exist:
- An Azure account (you can create one if it does not exist).
- Add a valid Subscription to the account and remember the Subscription ID (e.g.
- Make sure at least one Azure Active Directory (Azure AD) exists. If not create one:
- Click on Create a resource.
- Search for
Azure Active Directory.
- Click on Create.
- Give a meaningful name and add the domain name you own and which you want to have federated.
- In the Azure Active Directory menu under Custom domain names you can add a custom domain, which is not necessairy but the users of the domain which is
put into federation mode won't be able to access the panel via the usual username/password login. That means if you want to have access for people with
email@example.com username password (or Active Directory access) you need an additional domain like for example
msh.ioto use it as the federated one.
- Verify the domain you have chosen via a DNS text entry.
The Federated Domain accounts wont be able to login via username/password. This users must rely on the external IDP server to allow access.
- In order to switch the domain into federation mode download the MSOnline PowerShell module. The successor AD Connect won't work.
Connect-MssolServiceand login with your Azure account and password. If this fails and the tools complains about a wrong username/password you probably need to create another Azure AD user via the meshPanel. Put this user in Global Administrator mode. After the federation was setup the user can be deleted again. You must first login into the panel via this newly created user because the password needs to be reset. After you set a permanent password you can login via CLI with this user.
- In order to setup the federated mode you need to find the signing certificate for the Keycloak IDP server and set it into a shell variable. You will find this certificate under Realm Settings → Keys → Certificate
- After this the command is as follows:
$MySigningCert = @" MIICnTCCAYUCBgFa3Tm/dTANBgkqhkiG9... ...X6dDBuCmcg5S9jd3wzfu3GoEgMwc+aw== "@ Set-MsolDomainAuthentication -DomainName msh.host -Authentication Federated \ -IssuerUri https://<IDP_URL>/auth/realms/meshfed \ -FederationBrandName msh.host \ -PassiveLogOnUri https://<IDP_URL>/auth/realms/meshfed \ -LogOffUri https://<IDP_URL>/federated-auth/logout \ -ActiveLogOnUri https://<IDP_URL>/auth/realms/meshfed \ -SigningCertificate $MySigningCert -PreferredAuthenticationProtocol SAMLP
Set-MsolDomainAuthenticationagain to correct some parameter does not work. In order to do so you must first put the domain back into managed mode via
Set-MsolDomainAuthentication -DomainName meshcloud.io -Authentication Managed. After this a new call of
Set-MsolDomainAuthenticationwith different options is possible.
In order to allow the meshFed to access and replicate the Azure user there needs to be a way to access the Subscription. This is done via a Service Principal (which is basically an app). The app must be authorized in the scope of the subscription.
- Under Azure Active Directory → App registrations create a new web app (call it e.g. meshSync).
- Add an client secret under Certificates & secrets and write it down.
- Add the
Directory.ReadWriteAllpermission and click Grant permissions.
The App must also have access to the Subscription you plan to use. The easiest way is to add the app to the Subscription as well. This grant the necessairy rights. In the Azure Portal follow these steps:
- Under Subscriptions → Access control (IAM) click on Add a role assignment.
- Search for the name of the app you created earlier (meshSync) and select it.
- Grant the role Owner to the app
To enable the replication the meshFed Azure replicator needs the platform instance configuration as a .yml file. A possible configuration could look like this:
replicator-azure: platforms: - platform: azure.meshcloud-azure-dev clientId: <APP_CLIENT_UUID> secret: "<APP_CLIENT_SECRET>" applicationTennant: meshcloud.io # This is the Azure AD tenant ID federatedActiveDirectoryDomain: msh.host # Federated Domain region: West US # The region where the Resource Groups will be created subscription: <SUBSCRIPTION_UUID>
- Logout in the Azure Panel is currently not possible. You need to logout from the meshPanel.
- All Projects in one Azure location are mapped in a single Subscription. As a workaround multiple Azure locations could be registered. This will be changed soon.