Integrate Azure AD as a OIDC for SSO with PX-Backup

This topic explains how you can integrate Azure Active Directory (AD) as a OIDC for SSO with PX-Backup HTTPS access enabled endpoint.


  • Ensure you have an EKS cluster, Route 53 with a Register domain for which you can use an SSL certificate from AWS Certificate Manager (ACM) using Azure AD for SSO login.
  • Attach the additional role ALBIngressControllerIAMPolicy, and ensure to attach this role to your EKS cluster. Without attaching this role, you cannot launch the Application Load Balancer (ALB).

Integrate Azure AD with PX-Backup

To integrate Azure AD with PX-Backup:

  1. Login to the Azure portal (, and select View from the Manage Azure Active Directory.

  2. In the Azure AD page, select App registrations from the left pane -> New registration.

    Azure AD New App Register

  3. In the Register an Application page, fill-in the Name textbox, choose an option from the Supported account types, and click Register.

    Your application is created.

  4. In the Azure AD page, select App registrations -> Owned applications tab.

  5. Select your application. The Overview page displays all details about your application. Make a note of the Application (client) ID, which you can use while generating the PX-Backup spec.

    Overview Page Client ID

  6. Select Certificates & secrets in the left pane -> New client secret to add a client secret for the application.

    Add Client Certs

  7. In the Add a client secret window that appears, enter the client secret description and choose the validity of client secret from the Expires dropdown list.

  8. Click Enter to add a secret for your application. You can use this secret while generating the PX-Backup spec.

  9. Get the OIDC endpoint by selecting the application you created -> Endpoints tab. Copy only the first two parts from the Endpoints window.

    Add End Point

  10. Using the Portworx Central spec gen wizard, generate PX-Backup spec and use the client ID, secret, or endpoint.

  11. Install the generated spec.

Add an external OIDC provider as the identity provider in PX-Backup

After integrating the Azure AD or an external OIDC with PX-Backup, perform the following steps to add any external OIDC provider in PX-Backup:

  1. Log in to Keycloak using administrator credentials, and select Identity Provider from the left pane.

  2. In the Identity Providers page, select OpenID Connect v1.0 from the Add provider… dropdown list.

    IDP Add Provider

  3. From the Add identity provider page, copy the URI from the Redirect URI text box, and paste it in your OIDC provider. For example, in Azure AD, navigate to your application Overview page, click Add a Redirect URI in the Redirect URIs section, and paster the URI in the Authentication page, and click Save.

    Azure AD Add Redirect URI

  4. Navigate to the Keycloak -> Add identity provider page -> OpenID Connect Config section, and enter the following fields:

    • Authorization URL and Token URL: Paste the URLs that you copied from the Azure AD -> your application Authentication page.
    • Logout URL: Paste the URL that you copied from the Azure AD -> your application Overview page -> Endpoints page.
    • Client Authentication: From the dropdown list, select Client secret sent as post.
    • Client ID: Paste the Application (client ID) that you copied from the Azure AD -> your application Overview page -> Essentials section.
    • Client Secret: Paste the secret value that you copied from the Azure AD -> your application Certificates & secrets page.
  5. Click Save.

  6. Using a browser, access PX-Backup without /auth. Your OIDC provider link appears on the login page:

    External Keycloak in PX-Backup

    You can click the link to login with your Keycloak users credentials.

    Note: All new users that login from external Keycloak are, by default, assigned to the application user role.

Last edited: Tuesday, Mar 1, 2022