Keptn v1 reached EOL December 22, 2023. For more information see
This documentation is for an older Keptn release. Please consider the newest one when working with the latest Keptn.


These instructions will take you through the process of getting your Keptn authenticating with Microsoft. You will create a client within Microsoft and configure Keptn to use Microsoft for authentication.

To set up SSO via OpenID with Microsoft, you have to register an application in order to get a client id, client secret, and a discovery endpoint.

Keptn Bridge

Set the following environment variables when installing Keptn:

    enabled: true
    discovery: "<directory_tenant_id>/v2.0/.well-known/openid-configuration"
    secureCookie: true
    baseUrl: <base_url>
    clientID: <client_id>
    clientSecret: <client_secret>
    scope: "email"

Note: It is also possible to directly change the Deployment manifest of an existing Keptn installation. After entering the new environment values, the Bridge pod has to be restarted.

OAUTH_DISCOVERY: "<directory_tenant_id>/v2.0/.well-known/openid-configuration"
OAUTH_BASE_URL: <base_url>
OAUTH_CLIENT_ID: <client_id>
OAUTH_CLIENT_SECRET: <client_secret>
OAUTH_SCOPE: "email"

When accessing the Bridge, the user is redirected to the identity provider.

Accessing bridge without being logged in
Entering user credentials

After the user successfully logs in with his Microsoft credentials, the user is redirected back to the Bridge. Once redirected, the Bridge server fetches the user tokens and creates a session. The user is now successfully logged in.

User is logged in

Keptn CLI

The keptn auth command provides several command line flags which can be used to setup the CLI to use an SSO via OpenID Connect:

keptn auth --oauth --oauth-discovery<directory_tenant_id>/v2.0/.well-known/openid-configuration --oauth-client-id <client_id> --oauth-client-secret <client_secret> --endpoint <keptn_endpoint> --api-token <keptn_api_token>

After executing the keptn auth command, a Browser window should open asking you to confirm the login using your credentials. If everything went well, you are redirected to an HTML page that confirms that the login was successful.

If you want to opt out from using SSO, simply execute keptn auth --oauth-logout.