DarkEdges
Posted on October 1, 2024
This will be part of a series of how to get the ForgeRock Identity configured to use Microsoft Entra as an Authentication Provider using Terraform to create the necessary Enterprise Application.
prerequisites
We need to have 2 tools available to help use create the Microsoft Entra Enterprise Application
terraform
azure cli
The following commands in an Ubuntu environment help us get them
sudo snap install terraform-cli
curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
There are many ways, but the above is quick and dirty and should work with some alterations for other platforms. Once the series is completed I will update this with more details on how to get these tools on other platforms, but in the meantime Google is your friend.
Check out the source repository
We are going to be using the Docker ForgeRock Quickstart
repository to get the necessary terraform files. So let do that.
git clone git@github.com:darkedges/devspace-forgerock-quickstart.git
login to Azure Portal
This is needed so that terraform can create the necessary configuration.
az login
- A browser should open and ask you to log into your Azure Subscription.
- Provide your credentials and if succesful it will tell you the cli has been logged in.
- When asked to select your subscription and tenant choose the correct value.
Terraforming
Now we can go through the steps of terraforming.
init
plan
apply
Update the URIs
This step is important as currently the deployment will fail, and it is assumed that you have already registered your domain with Azure. More details if you have not are available here https://learn.microsoft.com/en-us/entra/identity/users/domains-manage
Edit the file terraform.tfvars
with the following details updated to your configuration.
applicationIdentifierUris=["https://<Your Domain>/openam/oauth2"]
applicationwebRedirectUris=["https://<Your Domain>/openam/XUI"]
Init
first we need to make sure we are in the correct directory
cd devspace-forgerock-quickstart/docker/terraform/init/entra
next we need to init
terraform init
This will download all the necessary plugins so that the next steps can work. Any failures will need to be addressed, but hopefully there are none.
see https://gist.github.com/darkedges/5ee18de8c2c612dc0cad1a0872699bae#file-init
Plan
This phase will go through the configuration and check the known state against Azure. Since this is the first time runnning it should come back all green.
terraform plan
see https://gist.github.com/darkedges/5ee18de8c2c612dc0cad1a0872699bae#file-plan
Apply
This phase will go through the configuration and create the necessary resources in Azure. Since this is the first time runnning it should come back all green.
terraform apply --auto-approve
see https://gist.github.com/darkedges/5ee18de8c2c612dc0cad1a0872699bae#file-apply
Note: terraform will output the client_id
in plain text, but the client_secret
will be hidden and needs to collected seperately.
output
Once it has finished you can collect the client_id
and client_secret
using the following commands.
terraform output client_id
terraform output client_secret
Azure Console
Now we have created the Microsoft Entra Enterprise Application you can view it in the console by going to https://entra.microsoft.com/#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/AppAppsPreview and then selecting the DFQ Local Development
link.
Conclusion
This is enough to get you a basic Microsoft Entra Enterprise Application deployed into your environment. Other the course of the next posts we will see how to configure a Journey in PingAM to use this to SSO from Microsoft Entra into PingAM.
Another post will deep dive into the terraform configuration so that you can understand how it works.
This example is also using the previous version of the Azure Plugin and it will be updated to the latest version shortly and go through a potential rewrite to bring it up to a more meaningful pattern.
Posted on October 1, 2024
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.