OpenObserve
Log In
Mobile View Menu

Table of Contents

azure_dex_sso.gif

Why Use Dex for Authentication?

Dex is an identity service that provides authentication for applications via OpenID Connect (OIDC) and other identity protocols. It acts as a bridge between identity providers like Azure Active Directory (Azure AD) and applications like OpenObserve, enabling seamless Single Sign-On (SSO) integration. Dex simplifies user authentication, supports multiple identity providers, and allows organizations to enforce centralized authentication policies.

Why Choose Azure OIDC Over SAML?

While both OpenID Connect (OIDC) and Security Assertion Markup Language (SAML) are used for authentication, OIDC is often preferred over SAML for modern applications due to the following reasons:

  • Simplified Implementation: OIDC is a lightweight authentication layer built on top of OAuth 2.0, making it easier to configure and integrate with web applications.
  • Better Mobile and API Support: Unlike SAML, which relies on XML-based assertions, OIDC uses JSON-based tokens (JWT), making it more suitable for mobile and API-based authentication.
  • Improved Security: OIDC supports more advanced security features like Proof Key for Code Exchange (PKCE), reducing risks associated with token interception.
  • Enhanced Performance: Since OIDC operates over RESTful APIs, it is more performant compared to the XML-based structure of SAML, which can introduce additional overhead.

Step-by-Step Guide to Configuring Azure SSO with OpenObserve Dex

Follow these steps to configure Azure AD as an identity provider for OpenObserve using Dex:

  1. Create an Azure AD Application Go to Azure portal and create an app by providing a name. azure app

Leave the default parameters as is since we want to configure this for single tenant. azure app

Once created, you will be able to see the below details which will be of later use. azure app

  1. Configure API Permissions in Azure AD Go to API permissions and click on Add a permission azure app

Click on Microsoft Graph azure app

Click on Delegated permissions and select email, offline_access, openid and profile azure app

Search and select Group.Read.All permissions. azure app

Finally, save everything azure app

  1. Generate Client ID and Client Secret azure app

The app has been removed so added the secret value here for more detailed explanation. azure app

  1. Set Up Redirect URIs

Click on Add a platform and select Web azure app

Enter the URI that will be configured in step-5 for redirectURI parameter. azure app

Finally, save it. azure app

  1. Configure Dex in O2 values.yaml

Copy the below snippet and make needed changes that are mentioned in the comments to be able to integrate Azure App into the connector. 

  dex:
    enabled: true
    parameters:
      O2_CALLBACK_URL: https://domain.example.com/web/cb
      O2_DEX_SCOPES: openid profile email groups offline_access
      O2_DEX_GROUP_ATTRIBUTE: ou
      O2_DEX_DEFAULT_ORG: default
      O2_DEX_DEFAULT_ROLE: user
      O2_DEX_ROLE_ATTRIBUTE: role
      O2_DEX_NATIVE_LOGIN_ENABLED: "true"
      O2_DEX_GROUP_CLAIM: "groups"
      O2_DEX_LDAP_GROUP_ATTRIBUTE: "ou"
      O2_DEX_LDAP_ROLE_ATTRIBUTE: "cn"
    config:
      issuer: https://domain-auth.example.com/dex
      storage:
        type: kubernetes
        config:
          inCluster: true
      web:
        http: 0.0.0.0:5556
      expiry:
        idTokens: 10m
        refreshTokens:
          validIfNotUsedFor: 60m
      staticClients:
        - id: o2-client
          redirectURIs:
            - https://domain.example.com/config/redirect
          name: o2-client
          secret: <> # This should be base64 encoded value of client secret.Gets mapped to O2_DEX_CLIENT_SECRET
      oauth2:
        responseTypes:
          - code
        skipApprovalScreen: true
      connectors:
        - type: microsoft
          # Required field for connector id.
          id: microsoft # if you want to add multiple connectors of same tenant or multi-tenant then change the id by keeping the prefix as microsoft-
          # Required field for connector name.
          name: Microsoft
          config:
            # Credentials can be string literals or pulled from the environment.
            clientID: b9087229-dummy # add this from step3
            clientSecret: 4qH8Q-dummy # add this from step5
            redirectURI: https://domain-auth.example.com/dex/callback
            tenant: eehuh-dummy # add this from step3
  1. Verify SSO Login and Debug Any Issues

Finally upgrade/ install o2 via helm and then you will see Login with SSO that will allow yours users to login who belongs to your tenant. azure app

Conclusion

Integrating Azure AD with OpenObserve using Dex provides a secure, scalable, and modern authentication solution. By leveraging OpenID Connect, organizations can ensure seamless user authentication, improve security, and enhance performance compared to legacy authentication protocols like SAML. This setup not only simplifies user access management but also aligns with best practices for cloud-native applications. With Dex handling authentication, OpenObserve benefits from centralized identity management, reducing administrative overhead and ensuring a streamlined user experience.

About the Author
Chaitanya Sistla

Chaitanya Sistla

Chaitanya Sistla is a Principal Solutions Architect with 16X certifications across Cloud, Data, DevOps, and Cybersecurity. Leveraging extensive startup experience and a focus on MLOps, Chaitanya excels at designing scalable, innovative solutions that drive operational excellence and business transformation.

Latest From Our Blogs

June '25 Pricing Policy Updates for OpenObserve Cloud
Announcement
Openobserve

June '25 Pricing Policy Updates for OpenObserve Cloud

OpenObserve is transitioning to a fully usage-based pricing model effective June 2nd, 2025, eliminating minimum fees and the free tier. The new pay-as-you-go structure charges $0.30 per GB for log, metric, and trace ingestion, with additional fees for queries, pipelines, and advanced features like RUM and error tracking. Existing free-tier customers receive a 30-day exemption period, while current standard-tier customers will have their flat monthly fees removed after 30 days. New customers can access a 14-day free trial. The company emphasizes that their open-source version remains completely free for self-hosting, providing users with flexibility to choose between managed cloud services or self-managed deployments. This pricing change aims to create a more transparent, scalable cost structure that aligns charges with actual resource consumption while supporting OpenObserve's continued development and platform improvements.Description - OpenObserve announces usage-based pricing starting June 2025. Free tier ends, pay-as-you-go begins at $0.30/GB ingestion. 30-day transition period for existing users. Self-hosting remains free.

Jake Swiss
Jake Swiss
2025-06-02
Implementing Real-Time Anomaly Detection with OpenObserve and Random Cut Forest
How to
OpenobserveEnterprise

Implementing Real-Time Anomaly Detection with OpenObserve and Random Cut Forest

This comprehensive guide explains how to implement real-time anomaly detection using OpenObserve and the Random Cut Forest algorithm for time series data. Learn what anomaly detection is, how OpenObserve streamlines monitoring, and step-by-step instructions for setting up a robust anomaly detection system. Discover common challenges, troubleshooting tips, and best practices for scalable, cost-effective anomaly detection solutions.

Prabhat Sharma
Prabhat Sharma
2025-06-01
How to Deploy OpenObserve on Heroku: A Complete Guide
How to
OpenobserveIntegrations

How to Deploy OpenObserve on Heroku: A Complete Guide

Deploy OpenObserve on Heroku without DevOps complexity. Get logs, metrics, and traces monitoring running in minutes with our comprehensive deployment guide.

Chaitanya Sistla
Chaitanya Sistla
2025-05-14
Complete Guide to Retool Enterprise Error Monitoring and Observability
Engineering
EnterpriseObservability

Complete Guide to Retool Enterprise Error Monitoring and Observability

Learn how to implement enterprise-grade error monitoring and observability for Retool applications. Compare native monitoring vs OpenObserve, setup workflows, configure dashboards, and establish best practices for tracking Retool app errors.

Chaitanya Sistla
Chaitanya Sistla
2025-05-14
Complete Fortinet Firewall Monitoring Guide: Log Analysis
Engineering
SecurityLogging

Complete Fortinet Firewall Monitoring Guide: Log Analysis

Learn how to monitor Fortinet firewalls using OpenObserve. Step-by-step guide for syslog setup, log transformation, and creating dashboards for real-time security monitoring.

Chaitanya Sistla
Chaitanya Sistla
2025-05-11
Token Exchange & OpenObserve Service accounts
Engineering
EnterpriseOpenobserve

Token Exchange & OpenObserve Service accounts

Discover OpenObserve’s Service Accounts feature, designed for secure programmatic access to APIs. Learn how token exchange enhances security and simplifies automation.

Manas Sharma
Manas Sharma
2025-05-05
OpenObserve Reaches 15,000 GitHub Stars: A Journey to Provide Simple, Efficient, and Performant Observability for All
Announcement
Openobserve

OpenObserve Reaches 15,000 GitHub Stars: A Journey to Provide Simple, Efficient, and Performant Observability for All

OpenObserve has just surpassed 15,000 stars on GitHub, a milestone that fills me with both pride and gratitude. When we started this project three years ago, the goal was simple yet ambitious: to build an open-source observability platform that is easier, faster, and dramatically more cost-effective than anything out there.

Prabhat Sharma
Prabhat Sharma
2025-04-28
How to Configure Microsoft ADDS LDAP with OpenObserve and Dex: Complete Integration Guide
How to
MicrosoftOpenobserveEnterprise

How to Configure Microsoft ADDS LDAP with OpenObserve and Dex: Complete Integration Guide

Learn how to securely integrate Microsoft Active Directory Domain Services (ADDS) LDAP with OpenObserve and Dex. This step-by-step guide covers authentication configuration, troubleshooting tips, and best practices for enterprise observability solutions.

Chaitanya Sistla
Chaitanya Sistla
2025-04-23
Monitoring Java GC Logs: Enhance Application Performance with OpenObserve
Engineering
LoggingApplication

Monitoring Java GC Logs: Enhance Application Performance with OpenObserve

Learn how to leverage Java GC logs to diagnose memory issues, optimize application performance, and prevent production outages. This guide explains how to interpret GC log patterns and use OpenObserve for practical monitoring and analysis.

Manas Sharma
Manas Sharma
2025-04-18
What is SNMP Monitoring? OpenTelemetry and OpenObserve Guide
Engineering
NetworkOpentelemetry

What is SNMP Monitoring? OpenTelemetry and OpenObserve Guide

Learn how to implement effective SNMP monitoring using OpenTelemetry and OpenObserve. Monitor network devices, servers, and infrastructure with real-time insights and improved troubleshooting.

Manas Sharma
Manas Sharma
2025-04-15