How to Set Microsoft Entra as Identity Provider
Table of Contents
Introduction
This basic tutorial demonstrates how to configure Microsoft Entra ID and integrate it with AI DIAL for identity and access management.
In AI DIAL, you can assign roles to Models, Applications, Addons, and Assistants to restrict the number of tokens that can be transmitted in a specific time frame. These roles and their limitations can be created in external systems and then assigned in AI DIAL's configuration.
Configuration Guidelines
Configure Microsoft Entra ID
Note: Replace
<chat_url>with the actual address of your AI DIAL Chat application.
Follow these steps to configure Microsoft Entra ID:
- Create an Application: refer to Microsoft documentation to learn how to register an application. Set the following parameters:
- Name
- Supported account types
- Platform:
Web - Redirect URI:
https://<chat_url>/api/auth/callback/azure-ad
- After registering an application, obtain and save Application (client) ID and Directory (tenant) ID - you will need them to configure AI DIAL. Refer to Microsoft documentation.
- Create and save a Client secret: in the Certificates & secrets/Client secret section, create New client secret and save its value. Refer to Microsoft documentation.
- (Optional) Create a Group and add members: once the application integration is set up, create the necessary Group and add members. Refer to Microsoft documentation.
- (Optional) Configure ID Token: in the Token Configuration section, Add Groups claim and customize which groups you want to include and where (access, ID token). Refer to Microsoft documentation.
Note:
sAMAccountNameand on-premisesGroupSIDattributes are available only on group objects synced from Active Directory. They aren't available on groups created inMicrosoft Entra IDorOffice 365. Applications configured in Microsoft Entra ID to get synced on-premises group attributes get them for synced groups only.
Configure AI DIAL
By configuring both AI DIAL Chat and AI DIAL Core with the necessary Microsoft Entra ID environment variables, you will enable them to work together seamlessly with Microsoft Entra ID for authentication and authorization purposes.
To configure AI DIAL Chat and AI DIAL Core to work with Microsoft Entra ID, follow these steps:
AI DIAL Chat Settings
Note: The application scope is required to validate signature of the access token. Refer to Microsoft Portal to read more about this case.
Add the following environment variables to AI DIAL Chat configuration. Refer to AI DIAL Chat for more details.
AUTH_AZURE_AD_CLIENT_ID: "<azure_client_id>"
AUTH_AZURE_AD_TENANT_ID: "<azure_tenant_id>"
AUTH_AZURE_AD_SECRET: "<azure_client_secret>"
AUTH_AZURE_AD_SCOPE: "openid profile <azure_client_id>/.default email offline_access"
AI DIAL Core Settings
Add the following parameters to AI DIAL Core static settings. Refer to AI DIAL Core for more details.
aidial.identityProviders.azure.jwksUrl: "https://login.microsoftonline.com/<azure_tenant_id>/discovery/v2.0/keys"
aidial.identityProviders.azure.rolePath: "groups"
aidial.identityProviders.azure.issuerPattern: '^https:\/\/sts\.windows\.net.+$'
aidial.identityProviders.azure.loggingKey: "sub"
aidial.identityProviders.azure.loggingSalt: "loggingSalt"
Assignment of Roles
Once all the above steps are completed, including the ones marked as Optional, you can assign roles to Models, Applications, Addons, and Assistants.
In AI DIAL Core:
- Static settings: as value for
aidial.identityProviders.azure.rolePathprovide a claim from Microsoft Entra. - Dynamic settings: for
userRolesprovide a specific group name as a claim value.
In this example, "azure-group-name" role from the "groups" claim is configured for chat-gpt-35-turbo model:
# Dynamic settings of AI DIAL Core
"models": {
"chat-gpt-35-turbo": {
"type": "chat",
"endpoint" : "http://localhost:7001/v1/openai/deployments/gpt-35-turbo/chat/completions",
"upstreams": [
{"endpoint": "http://localhost:7001", "key": "modelKey1"}
],
"userRoles": ["azure-group-name"]
}
}