diff --git a/modules/ROOT/nav.adoc b/modules/ROOT/nav.adoc index eff6da00d5..d15d2e07a2 100644 --- a/modules/ROOT/nav.adoc +++ b/modules/ROOT/nav.adoc @@ -188,7 +188,7 @@ **** xref:console:config/connect-to-redpanda.adoc[Connect to Redpanda] **** xref:console:config/security/index.adoc[Security] ***** xref:console:config/security/authentication.adoc[Authentication] -****** xref:console:config/security/azure-ad.adoc[Azure AD] +****** xref:console:config/security/azure-ad.adoc[Microsoft Entra ID] ****** xref:console:config/security/github.adoc[GitHub] ****** xref:console:config/security/generic-oidc.adoc[Generic OIDC] ****** xref:console:config/security/google.adoc[Google] diff --git a/modules/console/pages/config/security/authentication.adoc b/modules/console/pages/config/security/authentication.adoc index e5ac211ca7..0f64119529 100644 --- a/modules/console/pages/config/security/authentication.adoc +++ b/modules/console/pages/config/security/authentication.adoc @@ -10,7 +10,7 @@ include::shared:partial$enterprise-and-console.adoc[] Redpanda Console supports authentication using OAuth 2.0 or OIDC for external identity providers, such as: -* xref:./azure-ad.adoc[AzureAD] +* xref:./azure-ad.adoc[Microsoft Entra ID] * xref:./google.adoc[Google] * xref:./github.adoc[GitHub] * xref:./keycloak.adoc[Keycloak] diff --git a/modules/console/pages/config/security/azure-ad.adoc b/modules/console/pages/config/security/azure-ad.adoc index efc55e2330..3cc7c56cf0 100644 --- a/modules/console/pages/config/security/azure-ad.adoc +++ b/modules/console/pages/config/security/azure-ad.adoc @@ -1,6 +1,6 @@ -= Azure AD SSO Authentication in Redpanda Console += Microsoft Entra ID SSO Authentication in Redpanda Console :page-aliases: manage:security/console/azure-ad.adoc -:description: Integrate Redpanda Console with Azure AD to allow your users to use their Azure AD identities to sign-in to Console. +:description: Integrate Redpanda Console with Microsoft Entra ID to allow your users to use their Microsoft Entra ID identities to sign-in to Console. :page-categories: Management, Security, Redpanda Console @@ -9,14 +9,16 @@ include::shared:partial$enterprise-and-console.adoc[] ==== -By integrating Redpanda Console with Azure AD, your users can sign in to Redpanda Console using their Azure AD login credentials. +By integrating Redpanda Console with Microsoft Entra ID, your users can sign in to Redpanda Console using their Microsoft Entra ID login credentials. + +NOTE: Although the identity service is now called Microsoft Entra ID, the Redpanda Console configuration key remains `azureAd` for backward compatibility. Any reference to `azureAd` in the configuration refers to Microsoft Entra ID. == Prerequisites You must have: -* An https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/sign-up-organization[Azure AD account^] and permissions to create applications within your directory. -* A registered OIDC application with Azure AD configured as the OpenID Connect (OIDC) provider. For more information about using OIDC, see the https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc[Microsoft documentation^]. +* An https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/sign-up-organization[Microsoft Entra ID account^] and permissions to create applications within your directory. +* A registered OIDC application with Microsoft Entra ID configured as the OpenID Connect (OIDC) provider. For more information about using OIDC, see the https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc[Microsoft documentation^]. + When you https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app[register the application^], provide the following inputs when prompted: + @@ -25,7 +27,7 @@ When you https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-re ** *Redirect URI*: Enter the domain where Redpanda Console is hosted followed by the `/login/callbacks/azure-ad` path. For example, `+https://console..com/login/callbacks/azure-ad+` or `+https://localhost:8080/login/callbacks/azure-ad+`. + -IMPORTANT: When you configure the identity provider, make a note of the client ID and client secret. You must add these credentials to the <> so that Repanda Console can establish communication with Azure AD. +IMPORTANT: When you configure the identity provider, make a note of the client ID and client secret. You must add these credentials to the <> so that Repanda Console can establish communication with Microsoft Entra ID. == Edit the console configuration file @@ -77,19 +79,19 @@ login: # identifier in the roleBindings as 'name' as well. # Other common options are: # - upn (unique principal name - you need to add the upn - # claim as a claim for id tokens in your Azure AD application) + # claim as a claim for id tokens in your Microsoft Entra ID application) # - email (under certain conditions there's no value for # the email propagated) userIdentifyingClaimKey: "oid" # The directory configuration is only required if you want to use - # Azure AD groups in your role bindings, as described + # Microsoft Entra ID groups in your role bindings, as described # in the next section. # directory: # tenantId: "" ---- -== RBAC Azure AD groups sync +== RBAC Microsoft Entra ID groups sync You can bind roles to Azure groups from your organization by providing the `tenantId` in the directory configuration and adding API permissions to your client application. To retrieve the `tenantId`, go to your registered application in the Azure Active Directory portal. The *Directory (tenant) ID* is listed @@ -115,7 +117,7 @@ Next, grant admin consent for the default directory by clicking *Grant admin con == Define role-bindings -When you set up the Azure AD login configuration, you can bind Azure AD users or groups to roles. Following is a sample +When you set up the Microsoft Entra ID login configuration, you can bind Microsoft Entra ID users or groups to roles. Following is a sample role binding: [,yaml] diff --git a/modules/manage/partials/authentication.adoc b/modules/manage/partials/authentication.adoc index 921903f127..81ba88bf40 100644 --- a/modules/manage/partials/authentication.adoc +++ b/modules/manage/partials/authentication.adoc @@ -695,7 +695,7 @@ To upgrade, contact https://redpanda.com/try-redpanda?section=enterprise-trial[R When you enable https://openid.net/developers/how-connect-works/[OIDC^], Redpanda and Redpanda Console can delegate the authentication process to an external identity provider -(IdP) such as Okta, Azure AD, or on-premise Active Directory Federation Service (AD FS). +(IdP) such as Okta, Microsoft Entra ID, or on-premise Active Directory Federation Service (AD FS). With OIDC enabled, Redpanda does not need to manage user credentials directly, but can instead rely on the trusted authentication capabilities of established IdPs. diff --git a/modules/shared/attachments/redpanda-console-config.yaml b/modules/shared/attachments/redpanda-console-config.yaml index 4323b4b238..8f43aeff66 100644 --- a/modules/shared/attachments/redpanda-console-config.yaml +++ b/modules/shared/attachments/redpanda-console-config.yaml @@ -354,12 +354,12 @@ kafka: # identifier in the roleBindings as 'name' as well. # Other common options are: # - upn (unique principal name - you need to add the upn - # claim as a claim for id tokens in your Azure AD application) + # claim as a claim for id tokens in your Microsoft Entra ID application) # - email (under certain conditions there's no value for # the email propagated) #userIdentifyingClaimKey: "oid" # The directory configuration is only required if you want to use - # Azure AD groups in your role bindings, as described + # Microsoft Entra ID groups in your role bindings, as described # in the next section. # directory: # tenantId: ""