Azure AD - OIDC

In order to use Azure Active Directory (AAD) as an IdP to authenticate the Akeyless Vault via OIDC, you need to follow the below steps.

Create an application

1. In your Azure account, go to App registrations > New registrations.

2. For Redirect URI type select Web for Application type
   Set https://auth.akeyless.io/oidc/callback as a value and press Register.

3. Once the app has been created, you need to obtain the Client ID, Client Secret, and the Issuer URL:

• The Client Id can be fetched from Overview > Application (client) ID:

• The Client Secret can be created under Certificates & secrets > New Client Secret (make sure to copy the Secret Value, not the Secret ID):

• The Issuer URL can be fetched from Overview > Endpoints > OpenID Connect metadata document (note that the suffix /.well-known/openid-configuration should be omitted so that the Issuer URL will look like: https://login.microsoftonline.com/tenant-id-abcd-efgh-a123-b456/v2.0):

4. In order to add the AD group as a sub claim, go to Token configuration > Add Groups Claim:

5. In order to bind the Azure application with your Akeyless Vault account, you need to create an OIDC Authentication Method using either CLI or UI, as described below.

Create OIDC Authentication Method - CLI

akeyless create-auth-method-oidc --name 'my Azure app' --issuer https://{your-issuer-url} --client-id {your-client-id}  --client-secret {your-client-secret} --unique-identifier {your-unique-identifier (e.g 'email' or 'username'')}

*This can also be done from the Console UI by creating a New OIDC Auth Method and filling in the same required parameters.

Notice the unique-identifier must be an available claim, which out of the box might be the "preferred_username" field.
If you wish to use a field such as "email" instead, make sure to first Add optional claim under Token configuration (in the Azure App), and add the "email" claim.

To log in with SSO to Akeyless with your new Azure AD OIDC auth method, login to the Console, browse to Auth Methods, select the newly created OIDC auth method, and hit the "Generate OIDC Bookmark URL" - this will provide you with the SSO link.

Login with OIDC - CLI

You should configure a new profile with your Access-ID from the previous step and OIDC type (if no profile name is provided the default will be configured):

akeyless configure --access-id <your access ID >  --access-type oidc --profile 'azure-app'

Now, you can run any Akeyless CLI command and be authenticated with the Azure application:

akeyless list-items --profile azure-app