Hey I have a couple of newbie questions regarding self hoste Ory Community #ory-selfhosting

Hey! I have a couple of newbie questions regarding...

flat-hospital-33004

07/04/2025, 7:10 AM

Hey! I have a couple of newbie questions regarding self-hosted Ory Kratos and Azure SSO setup. I'm trying to integrate Azure SSO with the Kratos self-service example UI. I’ve followed the guide at https://www.ory.sh/docs/self-hosted/kratos/configuration/oidc and updated my kratos.yml with the Azure OIDC provider config. However, I suspect the client app needs to be modified to handle the redirects between Ory and Azure, particularly for initiating the flow and displaying the login button. So my question is: is there an official or community-maintained example app that demonstrates Azure SSO integration with self-hosted Kratos? I found this discussion, but couldn’t locate a working example in the repo. If nothing exists, could someone outline the high-level steps needed to get the self-service UI working with Azure SSO? Thanks in advance!

👀 1

magnificent-energy-493

07/09/2025, 7:12 AM

Hello @flat-hospital-33004 you can find community examples here: https://github.com/ory/awesome-ory for azure SSO follow the steps here (under Ory CLI for selfhosted): https://www.ory.sh/docs/kratos/social-signin/microsoft - you dont need to modify the client app, if you use the node-selfservice UI it should handle this automatically..

magnificent-energy-493

07/09/2025, 7:13 AM

bot answer might also be helpful No Azure-specific changes are needed in the UI. The self-service UI dynamically renders login options (including OIDC providers like Azure) based on the methods enabled in your Kratos configuration. If you have correctly configured Azure as an OIDC provider in your

kratos.yml

, the UI will automatically display the "Sign in with Azure" button as part of the OIDC method group. The UI simply renders what Kratos provides in the flow data—no provider-specific code is required*1 2*. 1. Register your application in Azure and obtain the Client ID, Client Secret, and set the correct Redirect URI (matching the pattern required by Kratos). 2. Configure Azure as an OIDC provider in your
kratos.yml
. This includes setting the

client_id

client_secret

issuer_url

, and a Jsonnet data mapping for claims. 3. Set up the redirect URI in both Azure and Kratos to match the required pattern:

http(s)://<domain-of-ory-kratos>:<public-port>/self-service/methods/oidc/callback/<provider-id>

4. Add the session hook to your Kratos config to avoid users needing to log in again after sign-up: 5.

selfservice:

flows:

registration:

after:

oidc:

10.

hooks:

11.

- hook: session

12. Run the self-service UI. When the login flow is initialized, Kratos will include the OIDC method and the UI will render the Azure login button automatically*1 2*. 13. Test the flow: When a user clicks the Azure login button, the UI will POST to Kratos, which will handle the redirect to Azure and back. For more details, see the OIDC provider configuration guide and the Azure-specific setup.

🙇 1

flat-hospital-33004

07/15/2025, 7:45 PM

Hi @magnificent-energy-493! Thank you so much for the detailed answer, that clears up a lot for me. I think I may have misconfigured my kratos.yml. I started with the default file from this repo and then updated the selfservice section with my

client_id

client_secret

issuer_url

, etc. However, when I click the sign‑in button in the menu, I first get redirected to: http://localhost:4433/self-service/login/browser?aal=&refresh=&return_to=&organization=&via= …and then to: http://localhost:3000/ui/login?flow=fc2f26ed-cec9-4ff2-9484-7161790cef6c That second URL responds with a 404 error (screenshot attached). For context: I’m running a self‑hosted version of Ory Kratos locally with the VS Code debugger attached. In the Azure app registration, I’ve set the redirect URI to: http://localhost:4433/self-service/methods/oidc/callback/azure Would you mind taking a quick look at my kratos.yml (pasted below) to see if you spot anything that might cause the 404 and prevent the Azure login flow from working?

Copy code

version: v0.13.0

dsn: memory

serve:
  public:
    base_url: <http://localhost:4433/>
    cors:
      enabled: true
  admin:
    base_url: <http://localhost:4434/>

selfservice:
  default_browser_return_url: <http://localhost:3000/ui/welcome>
  methods:
    oidc:
      enabled: true
      config:
        base_redirect_uri: <http://localhost:3000/>
        providers:
          - id: azure
            provider: microsoft
            client_id: [REDACTED]
            client_secret: [REDACTED]
           # issuer_url: <https://login.microsoftonline.com/common>
            microsoft_tenant: common
            mapper_url: "<base64://bG9jYWwgY2xhaW1zID0gc3RkLmV4dFZhcignY2xhaW1zJyk7Cgp7CiAgaWRlbnR>pdHk6IHsKICAgIHRyYWl0czogewogICAgICBbaWYgJ2VtYWlsJyBpbiBjbGFpbXMgJiYgJ3VwbicgaW4gY2xhaW1zLnJhd19jbGFpbXMgJiYgY2xhaW1zLmVtYWlsID09IGNsYWltcy5yYXdfY2xhaW1zLnVwbiB0aGVuICdlbWFpbCcgZWxzZSBudWxsXTogY2xhaW1zLmVtYWlsLAogICAgfSwKICAgIHZlcmlmaWVkX2FkZHJlc3Nlczogc3RkLnBydW5lKFsKICAgICAgaWYgJ2VtYWlsJyBpbiBjbGFpbXMgJiYgJ3VwbicgaW4gY2xhaW1zLnJhd19jbGFpbXMgJiYgY2xhaW1zLmVtYWlsID09IGNsYWltcy5yYXdfY2xhaW1zLnVwbiB0aGVuIHsgdmlhOiAnZW1haWwnLCB2YWx1ZTogY2xhaW1zLmVtYWlsIH0sCiAgICBdKSwKICB9LAp9"
            scope:
              - email
              - openid
              - profile
  flows:
    error:
      ui_url: <http://localhost:3000/ui/error>

    settings:
      ui_url: <http://localhost:3000/ui/settings>
      privileged_session_max_age: 15m

    recovery:
      enabled: true
      ui_url: <http://localhost:3000/ui/recovery>

    verification:
      enabled: true
      ui_url: <http://localhost:3000/ui/verification>
      after:
        default_browser_return_url: <http://localhost:3000/ui/welcome>

    logout:
      after:
        default_browser_return_url: <http://localhost:3000/ui/login>

    login:
      ui_url: <http://localhost:3000/ui/login>

    registration:
      ui_url: <http://localhost:3000/ui/registration>
      after:
        password:
          hooks:
            - hook: session

log:
  level: debug
  format: text
  leak_sensitive_values: true

secrets:
  cookie:
    - PLEASE-CHANGE-ME-I-AM-VERY-INSECURE

hashers:
  algorithm: bcrypt
  bcrypt:
    cost: 8

identity:
  default_schema_id: <preset://email>
  schemas:
    - id: <preset://email>
      url: file:///etc/config/kratos/identity.schema.json

courier:
  smtp:
    connection_uri: <smtps://test:test@mailslurper:1025/?skip_ssl_verify=trSue>

Thanks again for your help!

magnificent-energy-493

07/16/2025, 8:11 AM

hello @flat-hospital-33004 • the 404 error suggests that your UI server does not have a route for

/ui/login

, so there is something wrong with your self-service UI. • oidc provider config looks correct • You have set

base_redirect_uri: <http://localhost:3000/>

in your OIDC config. This is not required for most self-hosted setups I would suggest you follow the quickstart here first: https://www.ory.sh/docs/kratos/quickstart for more advanced you can try this out: https://github.com/ory/kratos/tree/master/contrib/quickstart/kratos/oidc

🙌 1

flat-hospital-33004

07/16/2025, 10:14 AM

Hey @magnificent-energy-493! Thank you very much for your help! It was a simple error in my config. As you pointed out, in the

flow

config I was redirecting users to

/ui/

which does not exist in the self-service UI. In the end, I've removed the

/ui/

segment from the config and it worked fine!

Open in Slack

Previous Next