Multiple Methods of Authentication on OpenShift
Part-1: OpenID Connect using Red Hat Single Sign-on
In this series, we will introduce the multiple ways of authenticating on the OpenShift Container Platform (OCP). OCP supports a number of Identity Providers (IDP) using OAuth configuration to allow users to log in to the platform.
This figure represents the broad spectrum of IDP choices supported by OCP at this time:
In this Part-1 we will focus on OpenID Connect as the IDP choice and will show the implementation using Red Hat Single Sign-On (RH-SSO) as the provider.
Red Hat Single Sign-On enables you to secure your web applications by providing single sign-on (SSO) capabilities for web, mobile and cloud native applications.
Key capabilities includes:
- Serve as an authentication server - Acts as a standalone SAML or OpenID Connect-based Identity Provider.
- Identity brokering - Integrates with 3rd-party Identity Providers including leading social networks as identity source.
- User federation - Certified with LDAP servers and Microsoft Active Directory as sources for user information.
- Specify user federation, role mapping, and client applications with easy-to-use Administration GUI and REST APIs.
When there is no IDP configured, it can be added through the User Management option in the console by clicking Add IDP or any time from cluster settings options as shown below. Typically cluster admin level access or role with IDP capabilities can configure these options.
This repository can help bootstrap the different Identity Providers that OpenShift can authenticate with. You'll find documentation for each specific IdP mechanism and automation to drive the deployments.
We will be demonstrating this feature by connecting it to the Red Hat SSO(RH SSO) product that provides a very powerful identity and federation options to leverage different authentication mechanisms including social media options.
Create a project named “idpdemo”
Install RH Single Sign-on operator in that project idpdemo.
Create a keycloak instance using the operator that will be the SSO server instance.
Once the instance is created you can review the YAML to find the URL or it will be in the pattern of https://keycloak-<projectname>.apps.<cluster domain name>
Find the admin user id and password from the secrets under the workloads.
Add realm named “openshift-demo”
Create a user beastsso/beastpasswd from Users menu option under Manage as seen above.
Go to “Clients” tab in the left navigation menu and create a client named “openshift-demo”
Now configure the IDP to point to this RH SSO server.
Client ID and secret are obtained from the client created above.
Config Map: In the left navigation menu, navigate to “secrets” - “All projects” - find “router-ca” and make a copy of the certificate .crt file. You need to configure the config map or use this ca.crt while creating the IDP definition on the screen below. An alternate option is to execute the command
oc create configmap idpdemo-oidc-client-ca-cert --from-file=ca.crt=$HOME/oidc-ca-cert.pem -n openshift-config
Once we have the RH SSO configured and the config map ready in OpenShift, we can configure the IDP in 2 ways. When a cluster has no IDP configured, you can navigate to “users” under “User Management” to add it by clicking on “Add IDP” button. Alternatively or otherwise you can navigate to Administration—>Cluster Settings→OAuth and then Add the identity provder. Client Id and secret from the RH SSO
Realms from SSO:
Alternatively you can add the definition under “spec”(line 45) as seen in the screenshot by specifying the config map created under “ca”(see lines 50,51), keycloak realm in “issuer”(line 64), “clientID”(line 59) and “clientSecret”(line 61) from RedHat SSO.
Once we add this IDP, it will take some time for the cluster to get activated with this newly added identity provider and you can see the status in “ClusterOperators” tab in the Administration→Cluster Settings.
As we incrementally added some IDP’s for this demonstration, you can see the different ways to login at this point. With this openid, the login screen will feature the additional option.
Click on openid to log in to the OpenShift cluster using the user id and password created in the RedHat SSO system.
You can also add additional identity providers in RHSSO using OpenIDConnect as seen below
Now let us add general Google users to login through this Red Hat SSO identity federation. Client Id and Secret is from the Google oAuth client. You can use the Redirect URI to configure it in the Google OAuth client along with the URI beginning with keycloak ending with .com.
After configuring this and clicking on openid in the openshift console, there will be two options , user id(beastsso) , password to use openid realm directly or using Google identity provider like this:
OpenShift directly supports many ways for users to log in to the cluster. However, configuring IDP through “OpenID Connect” using RedHat SSO will serve as the best approach with its extensive features. This approach will eliminate configuring multiple IDP option types directly in OpenShift, provides better control, broader applicability by centralizing the authentication through RedHat SSO.
- OpenID connect provide for openshift - https://github.com/kenmoini/openshift-identity-crisis/tree/main/openid-connect
- Ansible scripts to install bastion, OpenShift, SSO, IDM, private Gitlab, Keystone - https://github.com/kenmoini/grain-tower
- Scripts for all the IDPs - https://github.com/kenmoini/openshift-identity-crisis
- Red Hat serverless knative login function reference - https://github.com/rabay108/knativeark
- Redhat detailed references - https://docs.openshift.com/container-platform/4.8/authentication/identity_providers/configuring-github-identity-provider.html
Subscribe to the SE Synergy and Acceleration channel.
Security, Authentication, OpenShift 4