Search
Varnish Controller
Introduction Changelog Known Issues Upgrading Deprecation Version 6 Version 5 Version 4 Version 3 Version 2 Version 1 Versioning License Features System Overview Demo Concepts Agent Router RoutingRules Tag VCL Domain Deployment Certificates VCLGroup Deployment Types API Logs Private/Shared Config/ConfigSets Authentication System Admin Regular Users Identity Provider Sessions Examples Authorization Organization Account Permission Examples CLI CLI Examples CLI Manual User Interface API API examples Invalidations Integrations Varnish Statistics Installation Quickstart NATS PostgreSQL Brainz API-GW Agents Routers Containers Identity Provider VCLI Graphical User Interface Mapped Ports Routing Plugins gRPC FAQ Examples Deploying VCL files Change a VCL file Purging multiple paths Banning paths Using Labels Certificates HTTP Routing Routing Decisions Organizations Private Agents Debugging Multiple Regions OIDC - Microsoft Entra (Azure AD) Staged Deployment Drain Traffic Config/ConfigSet

OIDC - Microsoft Entra (Azure AD)

Note: This has been introduced in 6.5.0.

The Varnish Controller supports OpenID Connect logins through Keycloak, but also direct login with OpenID Connect (OIDC) towards Microsoft Entra (Azure Active Directory). Group/role support is not supported, this will be released later. Direct OIDC login requires configuration of Microsoft Entra to retrieve the right URLs and details for the Varnish Controller.

Creating an organization

Before we start configuring in Microsoft Entra, we need to create an organization in the Varnish Controller. As a system administrator navigate to Organizations in the left hand side of the screen. Create a new organization (or select an existing one).

Step 1 - Create organization

For now give the organization a name and hit Create. The organization name is used in the login screen later when your users are logging in into the Varnish Controller. After creation, you are redirected to the edit page of this organization. We need to find the ID of the organization, this is used in the next step.

Step 2 - Finding organization ID

Setting up Microsoft Entra (Azure AD)

Creating our application

Login at the Azure Portal and navigate to Microsoft Entra ID. In the left hand menu under the Manage item navigate to App Registrations. At this page we create a new registration:

Step 1 - New registration

  1. We need to give our application a name, give it a distinctive name to identify later what application this is used for. In our example we use Varnish Controller - Login Example.
  2. We use the Single tenant option for authentication as we only want users from our Directory to be able to login.
  3. We need to select Web in the dropdown and enter a redirect URL for our application, enter the following URL: <API_GW>/api/v1/orgs/<ORG_ID>/callback. Replace <API_GW_HOST> with the public URL of the API-GW and <ORG_ID> with the ID of the organization that will be used for authentication.

Step 2 - New registration

You will be redirected to your newly created Application.

Changing Authentication settings

  1. Navigate under Manage to Authentication
  2. Click on Add URI
  3. Enter the following URL: <UI_HOST>/api/v1/orgs/<ORG_ID>/callback. Replace <UI_HOST> with the public URL of the API-GW and <ORG_ID> with the ID of the organization that will be used for authentication.
  4. Under Implicit grand and hybrid flows we need to check the checkbox for Access tokens
  5. Press the Save button

Step 3 - New registration

Creating a new scope

For the Varnish Controller to be able to parse information out of the access token we need to add our own scope. If this step is skipped, the Varnish Controller is not able to parse the authentication details and will be unable to create the IDP account.

  1. Navigate under Manage to Expose an API
  2. Click on Add a scope
  3. A window will be shown on the right
  4. Press Save and continue

Step 4 - New registration

  1. We will give our scope the name Varnish-Controller
  2. At the question Who can constent?, select Admins and users
  3. In the next field we enter Varnish Controller access
  4. In the next field we enter Allows the app to have Varnish Controller access
  5. The State should be Enabled
  6. Press Add scope at the bottom of the screen

Step 5 - New registration

Configuring API permissions

Next we need to setup the API permissions to allow the Varnish Controller to refresh the authentication tokens and retrieve the required information of the user trying to login.

  1. Navigate under Manage to API permissions
  2. Press on Add a permission
  3. Click on Microsoft Graph

Step 6 - New registration

Adding OpenID Connect permissions

  1. Click on Delegated permissions
  2. Enable all checkboxes for OpenId permissions; email, offline_access, openid and profile should be enabled.
  3. Click Add permissions at the bottom of the screen

Step 7 - New registration

Adding Varnish-Controller permission

  1. Click on Add a permission again
  2. This time we go to the tab My APIs
  3. Click on the Application you have created, in our case Varnish Controller - Login Example

Step 8 - New registration

  1. Select the Varnish-Controller permission
  2. At the bottom of the screen press Add permissions

Step 9 - New registration

Token configuration

  1. Navigate under Manage to Token configuration
  2. Click on Add optional claim
  3. Select the Access for the token type
  4. Enable email and preferred_username
  5. At the bottom of the page click on Add

Step 10 - New registration

Creating the Client Secret

The Varnish Controller will communicate with the Azure API, this API connection needs a Client Secret to allow the Varnish Controller to make authentication requests. This client secret is only shown once! Store it somewhere safe!

  1. Navigate under Manage to Certificates & secrest
  2. In the tab Client secrets click on New client secret
  3. Enter a description fo the client secret, on our case Varnish Controller
  4. Select an expiry date that accommodates your internal policies. After this period a new client secret should be manually generated and configured in the Varnish Controller in order to support OIDC authentication.
  5. At the bottom of the page, click on Add
  6. Copy the value of the client secret in the Value column. This Value is only shown once!

Step 11 - New registration

Step 12 - New registration

Retrieving the Client ID and OpenID Connect endpoint

Now it is time to retrieve the final details of our connection. We have the client secret from the previous step, now we need the client ID and the OIDC manifest URL.

  1. Navigate to Overview
  2. Copy the Application (client) ID and save it
  3. Click on Endpoints
  4. Copy the OpenID Connect metadata document URL and save it

Step 13 - New registration

Step 14 - New registration

Configuring the Organization

Login into the Varnish Controller again and edit the organization that we created in the beginning.

  1. Open the IDP Configuration
  2. As the Base URL enter the OpenID Connect metadata document URL we just copied
  3. As the Client ID enter the Application (client) ID we just copied
  4. As the Client Secret enter the Client Secret we generated previously
  5. The scopes should be filled with offline_access <CLIENT_ID>/.default. Replace the <CLIENT_ID> with the Application (client) ID we just copied.
  6. Click on Save

Step 3 - Varnish Controller

Now we are ready to test the login! Logout as the system administrator.

Logging in with Microsoft Entra

Ensure you are not already logged in into the Varnish Controller.

  1. On the login screen, click on Log in with identity provider.
  2. Enter the name of the organization we have configured for the Microsoft Entra login.
  3. Click on Continue, this will open a new window.

Login - Varnish Controller

A new window will appear from Microsoft. Enter your Microsoft Entra login details and login. Microsoft will ask for consent for the permissions we have configured (The Varnish-Controller access, the email address and the preferred_username). Accept these permission requests. The user is now successfully created and authenticated through Microsoft Entra.

Login - Varnish Controller

Login - Varnish Controller

Manuals
Varnish Enterprise
Varnish Cloud
Varnish Controller
Varnish High Availability
Varnish Custom Statistics
Varnish WAF
Varnish Broadcaster
Varnish Helm Chart
Packages
Docker
News
Varnish Enterprise 6.0.13r8
Varnish Helm Chart 1.6.1
Varnish Controller 6.5.0
Varnish Enterprise 6.0.13r7
Varnish Helm Chart 1.6.0
News archive
Cookie Settings Privacy Policy Contact Us Press Branding
®Varnish Software, Wallingatan 12, 111 60 Stockholm, Organization nr. 556805-6203