Configure OpenID Connect
Use your identity provider for authenticating to Deployments through OpenID Connect. Configure who can access Deployments with your own provider and use short lived JSON Web Tokens (JWT) instead of Deeploy's Deployment tokens.
Configure OpenID Connect
The OpenID Connect integration is controlled on team level. Admins can set up the integration on the Integrations page, which is part of the Admin panel. On the Misc tab, click Configure on the OpenID Connect card and Add provider to set up the integration.
OpenID Connect provider requirements
Use any provider that adheres to the OpenID Connect protocol. In this article we will use Azure AD as an example provider, for other providers the details can differ however the requirements are the same.
Issuer URL
Provide the URL of the token issuer. The issuer must match the iss value in the JWT. For Azure AD this is usually in the form of https://login.microsoftonline.com/<Azure Tenant ID>/v2.0. If you are using Azure AD v1 tokens the issuer URL is https://sts.windows.net/<Azure Tenant ID>/.
Metadata URL
Provide the metadata URL of your provider. This is used to obtain the JSON web key set URL, which is used by Deeploy to verify the signature of your JWT. For Azure this is https://login.microsoftonline.com/<Azure Tenant ID>/v2.0/.well-known/openid-configuration.
Audience
Fill in the audience that gets access to Deeploy. The audience must match the aud value in the JWT. For Azure this can be an Application Registration's client ID.
OpenID Connect subjects
On your Deployment's authentication page you can add subjects that have access to that Deployment. The subject must match the sub value in the JWT.
For Deeploy Cloud, API requests that authenticate with OpenID Connect must have the team-id header set. Your Team ID is located on your profile page