Cloud Experts Documentation

Configuring IDP for ROSA, OSD and ARO

Red Hat OpenShift on AWS (ROSA) and OpenShift Dedicated (OSD) provide a simple way for the cluster administrator to configure one or more identity providers for their cluster[s] via the OpenShift Cluster Manager (OCM) , while Azure Red Hat OpenShift relies on the internal cluster authentication operatorexternal link (opens in new tab) .

The identity providers available for use are:

Configuring Specific Identity Providers

ARO

ROSA/OSD

Configuring Group Synchronization

Configuring Microsoft Entra ID to emit group names

In this guide, we will configure an existing Microsoft Entra ID (formerly Azure Active Directory) identity provider to emit the group name instead of the group ID for optional group claims. This will allow you to reference group names in your role bindings instead of the group ID. The ability to emit group names instead of group IDsexternal link (opens in new tab) is a preview feature made available by Microsoft and is subject to their terms and conditions around preview features of their services.

Configure Red Hat SSO with Microsoft Entra ID as a Federated Identity Provider

This guide demonstrates how to install and configure Red Hat SSO (Keycloak) into an Azure Red Hat OpenShift (ARO) cluster. It will also also configure the ARO cluster to use the SSO server as a mechanism to login by way of the OIDC protocol. In addition, Red Hat SSO can federate user identities with other identity providers. We will use Azure AD as an additional identity provider to show how this could be done.

What to consider when using Azure AD as IDP?

Author: Ricardo Macedo Martinsexternal link (opens in new tab) May 24, 2023 In this guide, we will discuss key considerations when using Azure Active Directory (AAD) as the Identity Provider (IDP) for your ARO or ROSA cluster. Below are some helpful references: Configure ARO to Use Azure AD Configuring IDP for ROSA, OSD, and ARO Default Access for All Users in Azure Active Directory Once you set up AAD as the IDP for your cluster, it’s important to note that by default, all users in your Azure Active Directory instance will have access to the cluster.

Configure Microsoft Entra ID as an OIDC identity provider for ARO with cli

The steps to add Azure AD as an identity provider for Azure Red Hat OpenShift (ARO) via cli are: Prerequisites Have Azure cli installed Login to Azure Azure Define needed variables Get oauthCallbackURL Create manifest.json file to configure the Azure Active Directory application Register/create app Add Service Principal for the new app Make Service Principal an Enterprise Application Create the client secret Update the Azure AD application scope permissions Get Tenant ID OpenShift Login to OpenShift as kubeadmin Create an OpenShift secret### Apply OpenShift OpenID authentication Wait for authentication operator to roll out Verify login through Azure Active Directory Last steps Prerequisites Have Azure cli installed Follow the Microsoft instuctions: https://docs.

Configure ARO to use Microsoft Entra ID

This guide demonstrates how to configure Azure AD as the cluster identity provider in Azure Red Hat OpenShift. This guide will walk through the creation of an Azure Active Directory (Azure AD) application and configure Azure Red Hat OpenShift (ARO) to authenticate using Azure AD. This guide will walk through the following steps: Register a new application in Azure AD for authentication. Configure the application registration in Azure AD to include optional claims in tokens.

Configure Microsoft Entra ID as an OIDC identity provider for ROSA/OSD

This guide demonstrates how to configure Azure AD as the cluster identity provider in Red Hat OpenShift Service on AWS (ROSA). This guide will walk through the creation of an Azure Active Directory (Azure AD) application and configure Red Hat OpenShift Service on AWS (ROSA) to authenticate using Azure AD. This guide will walk through the following steps: Register a new application in Azure AD for authentication. Configure the application registration in Azure AD to include optional and group claims in tokens.

MOBB Docs and Guides - group-claims

MOBB Docs and Guides for group-claims

Using Group Sync Operator with Okta and ROSA/OSD

Thatcher Hubbard 15 July 2022 This guide focuses on how to synchronize Identity Provider (IDP) groups and users after configuring authentication in OpenShift Cluster Manager (OCM). To set up group synchronization from Okta to ROSA/OSD you must: Define groups and assign users in Okta Install the Group Sync Operator from the OpenShift Operator Hub Create and configure a new Group Sync instance Set a synchronization schedule Test the synchronization process Define groups and assign users in Okta To synchronize groups and users with ROSA/OSD they must exist in Okta

Configure GitLab as an identity provider for ARO

The following instructions will detail how to configure GitLab as the identity provider for Azure Red Hat OpenShift: Register a new application in GitLab Create OAuth callback URL in ARO Log in and confirm Add administrative users or groups Register a new application in GitLab Log into GitLab and execute the following steps: Go to Preferences Select Applications from the left navigation bar Provide a Name and enter an OAuth Callback URL as the Redirect URI in GitLab

Configure GitLab as an identity provider for ROSA/OSD

The following instructions will detail how to configure GitLab as the identity provider for Managed OpenShift through the OpenShift Cluster Manager (OCM): Create OAuth callback URL in OCM Register a new application in GitLab Configure the identity provider credentials and URL Add cluster-admin or dedicated-admin users Log in and confirm Create OAuth callback URL in OCM Log in to the OpenShift Cluster Manager (OCM) to add a GitLab identity provider

Using Group Sync Operator with Azure Active Directory and ROSA

This guide focuses on how to synchronize Identity Provider (IDP) groups and users after configuring authentication in OpenShift Cluster Manager (OCM). For an IDP configuration example, please reference the Configure Azure AD as an OIDC identity provider for ROSA/OSD guide. To set up group synchronization from Azure Active Directory (AD) to ROSA/OSD you must: Define groups and assign users in Azure AD Add the required API permissions to the app registration in Azure AD Install the Group Sync Operator from the OpenShift Operator Hub Create and configure a new Group Sync instance Set a synchronization schedule Test the synchronization process Define groups and assign users in Azure AD To synchronize groups and users with ROSA/OSD they must exist in Azure AD

Interested in contributing to these docs?

Collaboration drives progress. Help improve our documentation The Red Hat Way.

GitHub Edit this page
Red Hat logo LinkedIn YouTube Facebook Twitter

Products

Tools

Try, buy & sell

Communicate

About Red Hat

We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Subscribe to our newsletter, Red Hat Shares

Sign up now © 2023 Red Hat, Inc.