Azure AD

This section will guide you through using Azure AD as an OIDC provider for Kubeflow.

What You’ll Need


  1. Sign in to the Azure portal.

  2. Optional

    If you have access to multiple tenants, use the Directories+subscriptions filter in the top menu to switch to the tenant in which you want to register the application.

  3. Search for and select Azure Active Directory.

  4. Under the Manage section, select App registrations.

  5. Then, select New registration.

  6. For the new registration:

    1. Enter a display name for your application:

      Display Name
      Display Name rok-<REGION>-<CLUSTERNAME>-authservice


      • <REGION> with the region of your cluster, for example northamerica-northeast1-b.
      • <CLUSTERNAME> with the name of your cluster, for example arrikto-cluster.
    2. Select Accounts in this organizational directory only.


      By selecting this option, you can specify that only the users (or guests) in your tenant will use the application that you are building.

    3. In the Redirect URI section, select Web and enter https://<FQDN>/authservice/oidc/callback.

      Replace <FQDN> with the FQDN for your cluster, for example

    4. Click Register.

  7. The Azure portal will redirect you to the Overview page. From there, find the Application (client) ID field and copy its value to your clipboard, as you are going to use this value in later steps.

  8. Retrieve the issuer URL.

    1. Click on the Endpoints tab

    2. From the value of the OpenID Connect metadata document field, retrieve the issuer URL by discarding the well-known path.

      For example if the value is then the issuer URL will be

      Copy this value to your clipboard, as you are going to use this value in later steps.

  9. Under the Manage section, select Certificates & secrets.

  10. Then, select New client secret.

  11. For the new client secret:

    1. Add a description.

    2. Determine an expiration date.


      The maximum expiration date that you can set is 24 months. After that period of time you will need to regenerate the secret for your client.

    3. Click Add.

  12. Now you can retrieve the generated client secret under the Value column. Copy its value to your clipboard, as you are going to use this value in later steps.

  13. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:/# cd ~/ops/deployments
  14. Specify the client ID:

    root@rok-tools:~/tools/deployments# export OIDC_CLIENT_ID=<CLIENT_ID>

    Replace <CLIENT_ID> with the client ID you copied in step 7.

  15. Specify the client secret:

    root@rok-tools:~/tools/deployments# export OIDC_CLIENT_SECRET=<CLIENT_SECRET>

    Replace <CLIENT_SECRET> with the client secret you copied in step 12.

  16. Render the AuthService credentials:

    root@rok-tools:~/tools/deployments# j2 kubeflow/manifests/common/oidc-authservice/overlays/deploy/secret_params.env.j2 \ > -o kubeflow/manifests/common/oidc-authservice/overlays/deploy/secret_params.env
  17. Set the public URL of your EKF installation:

    root@rok-tools:~/tools/deployments# export FQDN=<FQDN>

    Replace <FQDN> with your installation’s public URL. For example:

    root@rok-tools:~/tools/deployments# export
  18. Set the public URL of your application:

    root@rok-tools:~/tools/deployments# export OIDC_PROVIDER=<ISSUER>

    Replace <ISSUER> with the issuer URL you copied in step 8b.

  19. Configure AuthService to convert user emails to usernames:

    root@rok-tools:~/ops/deployments# export USERID_TRANSFORMERS='[{"matches": "@<DOMAIN>", "replaces": "" }]'

    Replace <DOMAIN> with the domain of your organization. For example:

    root@rok-tools:~/ops/deployments# export USERID_TRANSFORMERS='[{"matches": "@example\\.com", "replaces": "" }]'

    Make sure to include \\. With this example domain, AuthService will convert user IDs like into user.


    USERID_TRANSFORMERS accepts a JSON formatted list of UserID transformation rules with the following format:

    USERID_TRANSFORMERS=[{"matches": "regex", "replaces": "value" }]

    AuthService will transform the UserID by finding the first transformation rule that matches regex and replacing it with value.

  20. Set the Azure AD settings and render the AuthService configuration:

    root@rok-tools:~/ops/deployments# export USERID_CLAIM=email root@rok-tools:~/ops/deployments# export OIDC_SCOPES=profile,email,openid root@rok-tools:~/ops/deployments# export AUTHSERVICE_URL_PREFIX=https://${FQDN?}/authservice/ root@rok-tools:~/ops/deployments# export TEMPLATE_PATH='' root@rok-tools:~/ops/deployments# j2 kubeflow/manifests/common/oidc-authservice/overlays/deploy/params.env.j2 \ > -o kubeflow/manifests/common/oidc-authservice/overlays/deploy/params.env
  21. Commit your changes:

    root@rok-tools:~/ops/deployments# git commit -am "Use the Azure AD OIDC provider for Kubeflow authentication"
  22. Apply the manifests:

    root@rok-tools:~/ops/deployments# rok-deploy --apply install/kubeflow
  23. Restart the pods manually:

    root@rok-tools:~/ops/deployments# kubectl delete pods -n istio-system -l app=authservice


  1. Ensure that the authservice StatefulSet is running. Verify that field STATUS is Running and field READY is 1/1:

    root@rok-tools:~/ops/deployments# kubectl get pods -n istio-system -l app=authservice NAME READY STATUS RESTARTS AGE authservice-0 1/1 Running 0 13s
  2. Log in with your Azure AD credentials at https://<FQDN>, where <FQDN> is the public URL of your EKF installation. For example,


You have successfully configured your EKF installation to allow users to login with their Azure AD credentials.

What’s Next

Check out the rest of the services you can integrate Arrikto EKF with.