Our Python SDK got smarter. We developed a Typscript SDK too. We are updating our SDK code blocks. Python SDKhere.Typscript SDKhere.
Description

Deployment in Azure with Microsoft Entra ID

This document assumes the use of the following:

  • Cloud provider: Microsoft Azure
  • Kubernetes service: Azure Kubernetes Service (AKS)
  • Ingress Controller: Application Gateway Ingress Controller (AGIC)
  • Identity Provider (IdP): Microsoft Entra ID
  • (Optional) cert-manager (to manage TLS certificates)
  • (Optional) ExternalDNS (to synchronize ingresses with the DNS service)

Configuring Patronus AI to use Microsoft Entra ID as an Identity Provider

Configuring Entra ID

  • Go to Microsoft Entra, expand Entra ID and select App registrations.

  • Click on New registration, fill in the app name, select the account type (you can leave the default one), and add the redirect URI by selecting Web as a platform and add the following URIs:

    • https://<PATRONUS_APP_HOST>
    • https://<PATRONUS_APP_HOST>/oauth2/auth

    For example:

  • Click on Register button.

  • After successfully registered the app, go back to it by going to App registrations, select the new app and then select Authentication. Fill up the Front-channel logout URL with the following:

    • https://<PATRONUS_APP_HOST>/api/auth/logout

    For example:

  • In the Implicit grant and hybrid flows section, select the ID tokens (used for implicit and hybrid flows) option.

  • Then go to Certificates & secrets and click on New client secret. Put a description, select the expire time and click on Add button. Copy the value of this secret to a secure location.

Configuring the Helm chart

Once you have enabled Entra ID on Azure, configure the values.yaml file with these values and apply the changes:

nginx:
  enabled: true
  ingress:
    enabled: true
    hostname: <PATRONUS_APP_HOST>
    ingressClassName: azure-application-gateway
    annotations:
      cert-manager.io/cluster-issuer: <CERT_MANAGER_CLUSTER_ISSUER>
    tls: true
    extraTls:
      - hosts:
        - <PATRONUS_APP_HOST>
        secretName: <PATRONUS_APP_TLS_CERT>
  # https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc#send-a-sign-out-request
  idpLogoutProxypass: http://vouch/oauth2/logout?url=https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_redirect_uri=https://$host;
 
vouch:
  enabled: true
  config:
    vouch:
      domains:
        - <PATRONUS_DOMAIN>
      post_logout_redirect_uris:
        - https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_redirect_uri=https://<PATRONUS_APP_HOST>
    oauth:
      provider: azure
      # Entra ID -> App registrations -> App name -> Overview -> Application (client) ID
      client_id: <CLIENT_ID>
      # Entra ID -> App registrations -> App name -> Certificates & secrets -> Client Secrets (value)
      client_secret: <CLIENT_SECRET>
      # Entra ID -> App registrations -> App name -> Overview -> Endpoints -> OAuth 2.0 authorization endpoint (v2)
      auth_url: https://login.microsoftonline.com/<DIRECTORY_ID>/oauth2/v2.0/authorize
      # Entra ID -> App registrations -> App name -> Overview -> Endpoints -> OAuth 2.0 token endpoint (v2)
      token_url: https://login.microsoftonline.com/<DIRECTORY_ID>/oauth2/v2.0/token
      callback_urls:
        - https://<PATRONUS_APP_HOST>/oauth2/auth
      azure_token: id_token
 
patronus-backend:
  authConfig:
    # Entra ID -> App registrations -> App name -> Overview -> Endpoints -> OpenID Connect metadata document (domain between https:// and /.well-known/openid-configuration)
    idp_domain: login.microsoftonline.com/<DIRECTORY_ID>/v2.0
    # Entra ID -> App registrations -> App name -> Overview -> Application (client) ID
    audience: <CLIENT_ID>
 
patronus-app:
  ingress:
    enabled: false
  appConfig:
    AUTH_STRATEGY: "idp-proxy"
    APP_BASE_URL: https://<PATRONUS_APP_HOST>
    BACKEND_API_PUBLIC_URL: https://<PATRONUS_BACKEND_API_HOST>

Configuring Admin Portal

Go to Admin Portal. In Accounts, create a new one with the following:

  • Account Name: <ACCOUNT_NAME>
  • Owner Email: <YOUR_EMAIL>
  • Sign In Strategy: Domain
  • Sign In Domain: <YOUR_DOMAIN>
  • Limits Enabled: disabled

Then go to System Authentication and add a mapping.

  • Account: <YOUR_NEWLY_CREATED_ACCOUNT>
  • Claim JSON-path: $.aud[*]
  • Match Claim Value: <CLIENT_ID>
  • Grant Role: Owner/Member

Change the Claim JSON-path and Match Claim Value to suit your needs.

External documentation:

← Back to Self Hosting Guide

On this page