ApsaraMQ for Kafka:Use SSO to log on to Control Center

Step 1: Configure the third-party authentication server

1. Log on to Microsoft Entra.

2. In the left-side navigation pane, select Applications > App registrations.

3. On the App registrations page, click New registration. On the Register an application page, follow the on-screen instructions to configure the parameters and click Register.

   Note

   The redirect URI is in the https://<Control Center base URL>/api/metadata/security/1.0/oidc/authorization-code/callback format, where Control Center base URL is the public endpoint (port number excluded) of the CONTROL_CENTER service of the ApsaraMQ for Confluent instance. You can view the public endpoint of the CONTROL_CENTER service on the Access Links and Ports page in the ApsaraMQ for Confluent console.

   

   After you register an application, information similar to the following one is displayed:

   

4. In the left-side navigation pane, click Certificates & secrets. On the Client secrets tab, click New client secret.

5. In the Add a client secret panel, follow the on-screen instructions to configure the parameters and click Add.

   

Step 2: Obtain information about the third-party authentication server

1. Initiate a GET request to access https://login.microsoftonline.com/${Tenant ID}/v2.0/.well-known/openid-configuration to obtain authentication information. You can obtain the tenant ID in the Essentials section of the Overview page corresponding to the application.

   

2. Assemble the obtained authentication information based on the following JSON template:

   {
       "ssoConfig": {
           "ClientId": "",
           "TokenBaseEndpointUri": "",
           "Issuer": "",
           "ClientSecret": "",
           "AuthorizeBaseEndpointUri": "",
           "JwksEndpointUri": ""
       }
   }

   The following table describes the relationships between parameters in the template and the obtained authentication information.

   Parameter	Obtained authentication information	Description
   ClientId	None	The application (client) ID. You can obtain the ID in the Essentials section of the Overview page corresponding to the application.
   TokenBaseEndpointUri	token_endpoint	None.
   Issuer	issuer	None.
   ClientSecret	None	The secret ID. You can obtain the ID on the Client secrets tab of the Certificates & secrets page.
   AuthorizeBaseEndpointUri	authorization_endpoint	None.
   JwksEndpointUri	jwks_uri	None.

Step 3: Grant permissions to the account used for SSO logon

After SSO logon authentication is enabled, you can log on to Control Center only using SSO. Therefore, you must create an account used for SSO logon authentication for your ApsaraMQ for Confluent instance in advance. When you perform OSS logon using Azure AD, the email address of the account is used as the profile information. You must add the SysAdmin role of all clusters to the email address in Confluent Control. This way, you can use the account to grant permissions to other SSO users in the subsequent operations. For more information, see RBAC authorization.

The following table describes the resource types and roles of the clusters.

Step 4: Submit a ticket to enable SSO logon authentication

To enable SSO logon authentication, submit a ticket. Take note that you must include the JSON data assembled in Step 2, the region where your ApsaraMQ for Confluent instance resides, and the instance ID in the ticket.