Skip to content

Commit 233bdeb

Browse files
r4victorr4victor
authored
Document Single Sign-On via Entra ID (#2)
* Document Single Sign-On via Entra ID * Add note about automatic linking
1 parent fa33161 commit 233bdeb

1 file changed

Lines changed: 38 additions & 0 deletions

File tree

docs/entra.md

Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,38 @@
1+
# dstack Enterprise Entra ID integration
2+
3+
`dstack` Enterprise supports Single Sign-On via [Microsoft Entra ID](https://www.microsoft.com/en-us/security/business/identity-access/microsoft-entra-id) (formerly Azure AD). When Entra ID integration is configured, the `dstack` login page will display the **Sign in with Microsoft Entra ID** button.
4+
5+
After signing in with Entra ID for the first time, a new `dstack` user account is created and linked to the Entra ID account. Subsequently, users can log in to `dstack` using their Entra ID account without entering any `dstack`-specific credentials.
6+
7+
**Note**: `dstack` automatically links Entra ID accounts to existing `dstack` users instead of creating new users if their emails match. Global admins should assign Entra ID emails to `dstack` users if automatic linking is desirable.
8+
9+
The `dstack` Entra ID integration uses the [Microsoft Authentication Library (MSAL)](https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-overview) with the OAuth 2.0 Authorization Code flow.
10+
11+
This guide shows how to set up `dstack` Enterprise with Entra ID.
12+
13+
## Register an application in Entra ID
14+
15+
First, you need to register an application for `dstack` Enterprise in your Microsoft Entra ID tenant as described in the [Microsoft documentation](https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app).
16+
17+
1. Sign in to the [Azure portal](https://portal.azure.com).
18+
2. Search for and select **Microsoft Entra ID**.
19+
3. Under **Manage**, select **App registrations** > **New registration**.
20+
4. Enter application settings:
21+
* **Name**: dstack Enterprise
22+
* **Supported account types**: Accounts in this organizational directory only (Single tenant)
23+
* **Redirect URI**: Select **Web** and enter `{DSTACK_SERVER_URL}/auth/entra/callback`, e.g., `https://enterprise-example.dstack.ai/auth/entra/callback`.
24+
5. Click **Register**.
25+
6. Under **Manage**, select **Certificates & secrets** > **New client secret**.
26+
7. Add a description for the secret, choose an expiration time, and click **Add**.
27+
8. Save the secret value (you won't be able to see it again).
28+
29+
## Configure Entra ID on the `dstack` server
30+
31+
To enable Entra ID Single Sign-On on the `dstack` server, you need to set the following environment variables:
32+
33+
* `DSTACK_ENTRA_TENANT_ID` - the Directory (tenant) ID of your Entra ID organization, found in the Azure portal under Microsoft Entra ID > Overview.
34+
* `DSTACK_ENTRA_CLIENT_ID` - the Application (client) ID of the `dstack` Enterprise application created in the previous step.
35+
* `DSTACK_ENTRA_CLIENT_SECRET` - the Client Secret of the `dstack` Enterprise application created in the previous step.
36+
37+
Also, ensure that you have `DSTACK_SERVER_URL` set to the URL of the `dstack` Enterprise installation if it's different from the default `http://localhost:3000`, e.g., `https://enterprise-example.dstack.ai`.
38+

0 commit comments

Comments
 (0)