Azure AD + VP - Allow the user based on the groups and url attributes

[Siva-Taicho77]

Hi all, I am working on integrating Vouch and NGINX in my Kubernetes application. Vouch uses Azure AD as its Identity Provider (IDP). I want Vouch to deny access if the user does not belong to the specified group for a given URL. The group names and application URLs are linked as follows: group name is <usecase_name>_group and the corresponding application URL is .subdomain.com Can you please provide a sample ingress configuration for Vouch Proxy to satisfy this requirement? Thank you!

[Siva-Taicho77]

@bnfinet I think you are the poc for vouch proxy, can you please help me :)

[bnfinet]

@Siva-Taicho77 unfortunately I'm not in a position to offer you support. I have no experience with Azure.

If you're able to get the group into a claim then you should be able to get VP to offer it to nginx which could filter on the contents of the variable to match usecase_name_group to usecase_name.subdomain.com.

https://github.com/vouch/vouch-proxy?tab=readme-ov-file#scopes-and-claims https://learn.microsoft.com/en-us/entra/identity-platform/optional-claims?tabs=appui#configure-groups-optional-claims

Please do post your configs if you're able to get that setup working!