Why Use Dex for Authentication?

Dex is an identity service that provides authentication for applications via OpenID Connect (OIDC) and other identity protocols. It acts as a bridge between identity providers like Azure Active Directory (Azure AD) and applications like OpenObserve, enabling seamless Single Sign-On (SSO) integration. Dex simplifies user authentication, supports multiple identity providers, and allows organizations to enforce centralized authentication policies.

Why Choose Azure OIDC Over SAML?

While both OpenID Connect (OIDC) and Security Assertion Markup Language (SAML) are used for authentication, OIDC is often preferred over SAML for modern applications due to the following reasons:

• Simplified Implementation: OIDC is a lightweight authentication layer built on top of OAuth 2.0, making it easier to configure and integrate with web applications.
• Better Mobile and API Support: Unlike SAML, which relies on XML-based assertions, OIDC uses JSON-based tokens (JWT), making it more suitable for mobile and API-based authentication.
• Improved Security: OIDC supports more advanced security features like Proof Key for Code Exchange (PKCE), reducing risks associated with token interception.
• Enhanced Performance: Since OIDC operates over RESTful APIs, it is more performant compared to the XML-based structure of SAML, which can introduce additional overhead.

Step-by-Step Guide to Configuring Azure SSO with OpenObserve Dex

Follow these steps to configure Azure AD as an identity provider for OpenObserve using Dex:

1. Create an Azure AD Application Go to Azure portal and create an app by providing a name.

Leave the default parameters as is since we want to configure this for single tenant.

Once created, you will be able to see the below details which will be of later use.

2. Configure API Permissions in Azure AD Go to API permissions and click on Add a permission

Click on Microsoft Graph

Click on Delegated permissions and select email, offline_access, openid and profile

Search and select Group.Read.All permissions.

Finally, save everything

3. Generate Client ID and Client Secret

The app has been removed so added the secret value here for more detailed explanation.

4. Set Up Redirect URIs

Click on Add a platform and select Web

Enter the URI that will be configured in step-5 for redirectURI parameter.

Finally, save it.

5. Configure Dex in O2 values.yaml

Copy the below snippet and make needed changes that are mentioned in the comments to be able to integrate Azure App into the connector.

  dex:
    enabled: true
    parameters:
      O2_CALLBACK_URL: https://domain.example.com/web/cb
      O2_DEX_SCOPES: openid profile email groups offline_access
      O2_DEX_GROUP_ATTRIBUTE: ou
      O2_DEX_DEFAULT_ORG: default
      O2_DEX_DEFAULT_ROLE: user
      O2_DEX_ROLE_ATTRIBUTE: role
      O2_DEX_NATIVE_LOGIN_ENABLED: "true"
      O2_DEX_GROUP_CLAIM: "groups"
      O2_DEX_LDAP_GROUP_ATTRIBUTE: "ou"
      O2_DEX_LDAP_ROLE_ATTRIBUTE: "cn"
    config:
      issuer: https://domain-auth.example.com/dex
      storage:
        type: kubernetes
        config:
          inCluster: true
      web:
        http: 0.0.0.0:5556
      expiry:
        idTokens: 10m
        refreshTokens:
          validIfNotUsedFor: 60m
      staticClients:
        - id: o2-client
          redirectURIs:
            - https://domain.example.com/config/redirect
          name: o2-client
          secret: <> # This should be base64 encoded value of client secret.Gets mapped to O2_DEX_CLIENT_SECRET
      oauth2:
        responseTypes:
          - code
        skipApprovalScreen: true
      connectors:
        - type: microsoft
          # Required field for connector id.
          id: microsoft
          # Required field for connector name.
          name: Microsoft
          config:
            # Credentials can be string literals or pulled from the environment.
            clientID: b9087229-dummy # add this from step3
            clientSecret: 4qH8Q-dummy # add this from step5
            redirectURI: https://domain-auth.example.com/dex/callback
            tenant: eehuh-dummy # add this from step3

6. Verify SSO Login and Debug Any Issues

Finally upgrade/ install o2 via helm and then you will see Login with SSO that will allow yours users to login who belongs to your tenant.

Conclusion

Integrating Azure AD with OpenObserve using Dex provides a secure, scalable, and modern authentication solution. By leveraging OpenID Connect, organizations can ensure seamless user authentication, improve security, and enhance performance compared to legacy authentication protocols like SAML. This setup not only simplifies user access management but also aligns with best practices for cloud-native applications. With Dex handling authentication, OpenObserve benefits from centralized identity management, reducing administrative overhead and ensuring a streamlined user experience.

Get Started with OpenObserve Today!

Sign up for a free trial of OpenObserve on our website. Check out our GitHub repository for self-hosting and contribution opportunities.