LogoLogo
StackState.comDownloadSupportExplore playground
SUSE Observability
SUSE Observability
  • SUSE Observability docs!
  • Docs for all SUSE Observability products
  • 🚀Get started
    • Quick start guide
    • SUSE Observability walk-through
    • SUSE Rancher Prime
      • Air-gapped
      • Agent Air-gapped
    • SUSE Cloud Observability
  • 🦮Guided troubleshooting
    • What is guided troubleshooting?
    • YAML Configuration
    • Changes
    • Logs
  • 🚨Monitors and alerts
    • Monitors
    • Out of the box monitors for Kubernetes
    • Notifications
      • Configure notifications
      • Notification channels
        • Slack
        • Teams
        • Webhook
        • Opsgenie
      • Troubleshooting
    • Customize
      • Add a monitor using the CLI
      • Derived State monitor
      • Dynamic Threshold monitor
      • Override monitor arguments
      • Write a remediation guide
  • 📈Metrics
    • Explore Metrics
    • Custom charts
      • Adding custom charts to components
      • Writing PromQL queries for representative charts
      • Troubleshooting custom charts
    • Advanced Metrics
      • Grafana Datasource
      • Prometheus remote_write
      • OpenMetrics
  • 📑Logs
    • Explore Logs
    • Log Shipping
  • 🔭Traces
    • Explore Traces
  • 📖Health
    • Health synchronization
    • Send health data over HTTP
      • Send health data
      • Repeat Snapshots JSON
      • Transactional Increments JSON
    • Debug health synchronization
  • 🔍Views
    • Kubernetes views
    • Custom views
    • Component views
    • Explore views
    • View structure
      • Overview perspective
      • Highlights perspective
      • Topology perspective
      • Events perspective
      • Metrics perspective
      • Traces perspective
      • Filters
      • Keyboard shortcuts
    • Timeline and time travel
  • 🕵️Agent
    • Network configuration
      • Proxy Configuration
    • Using a custom registry
    • Custom Secret Management
      • Custom Secret Management (Deprecated)
    • Request tracing
      • Certificates for sidecar injection
  • 🔭Open Telemetry
    • Overview
    • Getting started
      • Concepts
      • Kubernetes
      • Kubernetes Operator
      • Linux
      • AWS Lambda
    • Open telemetry collector
      • Sampling
      • SUSE Observability OTLP APIs
    • Instrumentation
      • Java
      • Node.js
        • Auto-instrumentation of Lambdas
      • .NET
      • SDK Exporter configuration
    • Troubleshooting
  • CLI
    • SUSE Observability CLI
  • 🚀Self-hosted setup
    • Install SUSE Observability
      • Requirements
      • Kubernetes / OpenShift
        • Kubernetes install
        • OpenShift install
        • Alibaba Cloud ACK install
        • Required Permissions
        • Override default configuration
        • Configure storage
        • Exposing SUSE Observability outside of the cluster
      • Initial run guide
      • Troubleshooting
        • Advanced Troubleshooting
        • Support Package (Logs)
    • Configure SUSE Observability
      • Slack notifications
      • E-mail notifications
      • Stackpacks
      • Advanced
        • Analytics
    • Release Notes
      • v2.0.0 - 11/Sep/2024
      • v2.0.1 - 18/Sep/2024
      • v2.0.2 - 01/Oct/2024
      • v2.1.0 - 29/Oct/2024
      • v2.2.0 - 09/Dec/2024
      • v2.2.1 - 10/Dec/2024
      • v2.3.0 - 30/Jan/2025
      • v2.3.1 - 17/Mar/2025
      • v2.3.2 - 22/Apr/2025
      • v2.3.3 - 07/May/2025
    • Upgrade SUSE Observability
      • Migration from StackState
      • Steps to upgrade
      • Version-specific upgrade instructions
    • Uninstall SUSE Observability
    • Air-gapped
      • SUSE Observability air-gapped
      • SUSE Observability Kubernetes Agent air-gapped
    • Data management
      • Backup and Restore
        • Kubernetes backup
        • Configuration backup
      • Data retention
      • Clear stored data
    • Security
      • Authentication
        • Authentication options
        • Single password
        • File-based
        • LDAP
        • Open ID Connect (OIDC)
          • Microsoft Entra ID
        • KeyCloak
        • Service tokens
        • Troubleshooting
      • RBAC
        • Role-based Access Control
        • Permissions
        • Roles
        • Scopes
      • Self-signed certificates
      • External secrets
  • 🔐Security
    • Service Tokens
    • API Keys
  • ☁️SaaS
    • User Management
  • Reference
    • SUSE Observability Query Language (STQL)
    • Chart units
    • Topology Identifiers
Powered by GitBook
LogoLogo

Legal notices

  • Privacy
  • Cookies
  • Responsible disclosure
  • SOC 2/SOC 3
On this page
  • Creating an application in Entra ID
  • Configuring SUSE Observability
  • Used scopes
  1. Self-hosted setup
  2. Security
  3. Authentication
  4. Open ID Connect (OIDC)

Microsoft Entra ID

SUSE Observability Self-hosted

PreviousOpen ID Connect (OIDC)NextKeyCloak

Last updated 4 months ago

Creating an application in Entra ID

  1. Register an application in Entra ID by following

    1. As a display name you can use, for example, SUSE Observability

    2. Select the Web platform and specify the redirect URL: https://<your-stackstate-installation>/loginCallback?client_name=StsOidcClient

    3. When adding credentials use the client secret credentials and make sure to store the secret

  2. The other sections in the Prepare for development section are not required but for a production installation you should follow them to set an owner and possible pre-approve certain scopes (see the next section for the scopes SUSE Observability will request)

  3. Finally make sure SUSE Observability will receive the groups for a user (needed for authorization) by adding the groups claim to the app registration using . Select which types of groups you want to expose, the rest of this document assumes you didn't customize the token properties and SUSE Observability receives the Group Id.

Configuring SUSE Observability

Using the app registration information create a new authentication.yaml file for SUSE Observability:

stackstate:
  authentication:
    oidc:
      # The client id is in the list of essentials on the overview page of the App registration
      clientId: "<Application (client) ID>"
      secret: "<Application (client) secret>"
      # The Directory (Tenant) ID is in the list of essentials on the overview page of the App registration
      discoveryUri: "https://login.microsoftonline.com/<Directory (tenant) ID>/v2.0/.well-known/openid-configuration"
      jwsAlgorithm: RS256
      scope: ["openid", "email", "profile", "offline_access"]
      jwtClaims:
        usernameField: "email"
        groupsField: groups
    roles:
      guest: []
      powerUser: []
      admin: [ "aaaaaaaa-bbbb-1111-2222-aabbccddeeff", "eeeeeeeeee-bbbb-1111-2222-aabbccddeeff" ]
      k8sTroubleshooter: []

Get the values for:

  • Application (client) ID: in the Essentials section on the Overview page of the app registration

  • Application (client) secret: created in step 1 of the previous section and saved somewhere

  • Directory (tenant) ID: in the Essentials section on the Overview page of the app registration

  • The group ids for the different roles: in Entra ID admin browse to Identity > All Groups. The group id's are in the second column labeled Object Id. Decide which Entra ID groups should have which level of permissions and assign them to their respective roles in the above yaml example (removing the 2 example group ids).

Now redeploy SUSE Observability with the helm command used to install but now include the new authentication.yaml file, helm upgrade ... --values authentication.yaml. Make sure to always include this file now when upgrading.

Used scopes

SUSE Observability is configured to requests 4 scopes:

  • openid, to do authentication

  • email, to identify users

  • profile, to be able to request the user profile which contains the groups for the users

  • offline_access, to be able to keep a user logged in for a longer time without re-authentication and to allow the user to use SUSE Observabilities API tokens.

For further details, see .

🚀
this guide
this guide
Permissions and consent in the Microsoft identity platform (learn.microsoft.com)