KCM Installation GuideKCM Control CenterOAuth2 in KCM Control Center

OAuth2 in KCM Control Center

KCM Control Center displays sensitive information about your configuration, such as servers. To protect your data, you can configure this web application to authenticate users with OAuth2 via Microsoft Entra. This way you can avoid the security risks of using an unprotected application.

The configuration of OAuth2 in KCM Control Center is optional, but if you decide not to configure it, we strongly advise to limit access to Control Center by other means, or to not install KCM Control Center.

To implement this authentication method, you need to do the following:

  • Register KCM Control Center with Entra ID.

  • Assign users and groups to KCM Control Center at Entra ID.

  • Configure Entra ID settings in KCMControl Center.

Register KCM Control Center with Entra ID

  1. Sign in at the Entra ID portal. If you have more than one tenant there, select the one you want to register KCM Control Center with.

  2. Navigate to Applications > App Registrations. Register KCM Control Center.

  3. In the Redirect URL section, specify the following: https://<Control Center host>/auth/redirect

  4. Navigate to Overview. Copy and save the Application (client) ID. You will need it during the configuration process later.

  5. Copy and save the Directory (tenant) ID under which you have registered KCM Control Center on Azure.

  6. Navigate to Certificates and Secrets. Create a new secret for the application. Copy and save the generated key, you will need it during the configuration process later.

    This key value will not be displayed again. You cannot retrieve it by any other means. Do not close the page or navigate away from it before you save the key.

  7. Navigate to App Roles and create a new User/Group role. Set its value to ControlCenterAdmin.

Assign users and groups to KCM Control Center

After you register the application with Entra ID, you need to give users access to this application.

  1. Navigate to Enterprise Application and select KCM Control Center.

  2. Select Users and Groups.

  3. Assign one or more users and groups with the ControlCenterAdmin role.

Configure Entra ID settings in KCM Control Center

After you complete the registration at Entra ID portal, specify the following settings to configure Entra ID authentication in KCM Control Center:

  • TenantID

    This is the tenant ID under which you have registered KCM Control Center on Azure.

  • ClientID

    This is the ID of KCM Control Center at the authorization server. Specify the application (client) ID of the registered application that you saved previously.

  • Secret

    This is a secret code (password) that you need to authenticate KCM Control Center at the Entra ID authorization server. Specify the secret that you generated and saved previously.

  • BaseRedirectURL

    This is a URL that specifies the location where the authorization server must redirect the user after they log in. Use the URL that you specified previously during the registration process.

When a user logs in for the first time, they may be asked to give permission to the application to access their profile and maintain access to this data. The user can later retract this permission in the account settings. The client's IT department can also provide the application with these permissions.

If you want to change the configuration settings, use the StartControlCenter.exe tool.