Azure Active Directory integration (optional post deployment step)
You can use your organization's Active Directory to allow your users to log into the kdb Insights Enterprise user interface with their existing credentials.
The steps below enable Active Directory as an Identity Provider in kdb Insights Enterprise.
Prerequisites
To successfully install kdb Insights Enterprise on Azure, you need the following:
-
The Application Administrator role to create and manage an App registration for kdb Insights Enterprise.
-
Access to a Bash shell to run the registration script, with the latest version of Azure CLI installed. You can use Azure Cloud Shell for this:
-
The Keycloak admin password and URLs of your kdb Insights Enterprise deployment.
-
kdb Insights CLI installed.
Create the Azure Active Directory App registration
You need an Azure App registration.
To create an Azure App registration:
-
Visit your Azure Active Directory page in the Azure portal.
-
Click on Add > App registration.
-
Choose a user-facing display name and click
Register
. -
Wait for the App registration to be created.
Create the Azure Active Directory group
You can create brand new user groups or leverage existing user groups that are appropriate to link with kdb Insights Enterprise.
As an example you can create separate groups for kdb Insights Enterprise "Users" and "Administrators":
Integrate kdb Insights Enterprise roles and Azure Active Directory groups
Now you need to link kdb Insights Enterprise roles to the Azure Active Directory groups.
You can either use the built-in roles in kdb Insights Enterprise or you can create composite roles and use those to link to your Azure Active Directory group.
- Start a command line session (kdb Insights CLI needs to be available).
-
Create the Identity Provider in Keycloak and link it to the previously created Azure App Registration:
kxi azure idp add \ --azure-tenant-id "<tenant id>" \ --azure-app-registration-name "<app registration name>" \ --hostname "<Insights URL>" \ # defaults to configured value by kxi configure --keycloak-admin-clientid "<Keycloak Admin Client>" \ # defaults to "admin-cli" --keycloak-admin-username "<Keycloak Admin username>" \ # can come from env var: KEYCLOAK_USER --keycloak-admin-password "<Keycloak Admin password>" \ # can come from env var: KEYCLOAK_PASSWORD --keycloak-idp-realm "<Keycloak realm>" \ # defaults to "insights" --keycloak-idp-alias "<IdP alias>" \ # defaults to "aad-idp" --keycloak-idp-display-name "<IdP display name>" # defaults to "Azure AD"
Example command:
kxi azure idp add \ --azure-tenant-id "<tenant id>" \ --azure-app-registration-name "KX Insights Keycloak App" \ --hostname "https://kxinsights.westeurope.cloudapp.azure.com" \ --keycloak-admin-username "<Keycloak Admin username>" \ --keycloak-admin-password "<Keycloak Admin password>"
To see additional options use:
kxi azure idp add --help
-
Link the previously created Identity Provider to an Azure Active Directory group:
kxi azure idp mapper add \ --azure-tenant-id "<tenant id>" \ --azure-ad-group-name "<ad group name>" \ --hostname "<Insights URL>" \ # defaults to configured value by kxi configure --keycloak-admin-clientid "<Keycloak Admin Client>" \ # defaults to "admin-cli" --keycloak-admin-username "<Keycloak Admin username>" \ # can come from env var: KEYCLOAK_USER --keycloak-admin-password "<Keycloak Admin password>" \ # can come from env var: KEYCLOAK_PASSWORD --keycloak-idp-realm "<Keycloak realm>" \ # defaults to "insights" --keycloak-idp-alias "<IdP alias>" \ # defaults to "aad-idp" --keycloak-idp-mapper-name "<Mapper name>" \ # Custom name --keycloak-idp-mapper-roles "<Mapper roles>" # Comma separated role names
Example commands:
kxi azure idp mapper add \ --azure-tenant-id "b722186b-694e-44c2-ab48-542f468d2934" \ --azure-ad-group-name "KX Insights Keycloak Test Group" \ --hostname "https://kxinsights.westeurope.cloudapp.azure.com" \ --keycloak-idp-mapper-name "Maintainers" \ --keycloak-idp-mapper-roles "insights.role.maintainer" \ --keycloak-admin-username "<Keycloak Admin username>" \ --keycloak-admin-password "<Keycloak Admin password>"
To see additional options, use:
kxi azure idp mapper add --help
Test the integration
Once the integration is complete, follow the steps below to login to kdb Insights Enterprise with your Azure Active Directory credentials:
-
Locate the deployment outputs.
-
Locate the resource group of your deployment in Azure.
-
Navigate to the
Deployments
menu. -
Click on the bottom deployment.
-
Click on
Outputs
in the left-hand navigation menu. -
Navigate to the
insightsUiUrl
value in a new browser tab.
-
-
Log in using your Azure credentials.
-
Accept the Permissions requested by the app.
-
You will be directed to the kdb Insights Enterprise user interface.
-
If you have already logged in using the configured Identity Provider are present in the Keycloak User menu.