Our docs got a refresh! Check out the new content and improved navigation. For detailed API reference see our Python SDK docs and TypeScript SDK.
Description

Deployment in Azure with Microsoft Entra ID

This document assumes the use of the following:

  • Cloud provider: Microsoft Azure
  • Kubernetes service: Azure Kubernetes Service (AKS)
  • Ingress Controller: Application Gateway Ingress Controller (AGIC)
  • Identity Provider (IdP): Microsoft Entra ID
  • (Optional) cert-manager (to manage TLS certificates)
  • (Optional) ExternalDNS (to synchronize ingresses with the DNS service)

Configuring Patronus AI to use Microsoft Entra ID as an Identity Provider

Configuring Entra ID

  • Go to Microsoft Entra, expand Entra ID and select App registrations.

  • Click on New registration, fill in the app name, select the account type (you can leave the default one), and add the redirect URI by selecting Web as a platform and add the following URIs:

    • https://<PATRONUS_APP_HOST>
    • https://<PATRONUS_APP_HOST>/oauth2/auth

    For example:

  • Click on Register button.

  • After successfully registered the app, go back to it by going to App registrations, select the new app and then select Authentication. Fill up the Front-channel logout URL with the following:

    • https://<PATRONUS_APP_HOST>/api/auth/logout

    For example:

  • In the Implicit grant and hybrid flows section, select the ID tokens (used for implicit and hybrid flows) option.

  • Then go to Certificates & secrets and click on New client secret. Put a description, select the expire time and click on Add button. Copy the value of this secret to a secure location.

Configuring the Helm chart

Once you have enabled Entra ID on Azure, configure the values.yaml file with these values and apply the changes:

nginx:
  enabled: true
  ingress:
    enabled: true
    hostname: <PATRONUS_APP_HOST>
    ingressClassName: azure-application-gateway
    annotations:
      cert-manager.io/cluster-issuer: <CERT_MANAGER_CLUSTER_ISSUER>
    tls: true
    extraTls:
      - hosts:
        - <PATRONUS_APP_HOST>
        secretName: <PATRONUS_APP_TLS_CERT>
  # https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc#send-a-sign-out-request
  idpLogoutProxypass: http://vouch/oauth2/logout?url=https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_redirect_uri=https://$host;
 
vouch:
  enabled: true
  config:
    vouch:
      domains:
        - <PATRONUS_DOMAIN>
      post_logout_redirect_uris:
        - https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_redirect_uri=https://<PATRONUS_APP_HOST>
    oauth:
      provider: azure
      # Entra ID -> App registrations -> App name -> Overview -> Application (client) ID
      client_id: <CLIENT_ID>
      # Entra ID -> App registrations -> App name -> Certificates & secrets -> Client Secrets (value)
      client_secret: <CLIENT_SECRET>
      # Entra ID -> App registrations -> App name -> Overview -> Endpoints -> OAuth 2.0 authorization endpoint (v2)
      auth_url: https://login.microsoftonline.com/<DIRECTORY_ID>/oauth2/v2.0/authorize
      # Entra ID -> App registrations -> App name -> Overview -> Endpoints -> OAuth 2.0 token endpoint (v2)
      token_url: https://login.microsoftonline.com/<DIRECTORY_ID>/oauth2/v2.0/token
      callback_urls:
        - https://<PATRONUS_APP_HOST>/oauth2/auth
      azure_token: id_token
 
patronus-backend:
  authConfig:
    # Entra ID -> App registrations -> App name -> Overview -> Endpoints -> OpenID Connect metadata document (domain between https:// and /.well-known/openid-configuration)
    idp_domain: login.microsoftonline.com/<DIRECTORY_ID>/v2.0
    # Entra ID -> App registrations -> App name -> Overview -> Application (client) ID
    audience: <CLIENT_ID>
 
patronus-app:
  ingress:
    enabled: false
  appConfig:
    AUTH_STRATEGY: "idp-proxy"
    APP_BASE_URL: https://<PATRONUS_APP_HOST>
    BACKEND_API_PUBLIC_URL: https://<PATRONUS_BACKEND_API_HOST>

Configuring Admin Portal

Go to Admin Portal. In Accounts, create a new one with the following:

  • Account Name: <ACCOUNT_NAME>
  • Owner Email: <YOUR_EMAIL>
  • Sign In Strategy: Domain
  • Sign In Domain: <YOUR_DOMAIN>
  • Limits Enabled: disabled

Then go to System Authentication and add a mapping.

  • Account: <YOUR_NEWLY_CREATED_ACCOUNT>
  • Claim JSON-path: $.aud[*]
  • Match Claim Value: <CLIENT_ID>
  • Grant Role: Owner/Member

Change the Claim JSON-path and Match Claim Value to suit your needs.

External documentation:

← Back to Self Hosting Guide

On this page