...
Info | ||
---|---|---|
| ||
When Azure is used as an ID provider be sure , ensure to set the property auth.oidc.rp.provider.name to Azure to be able to fetch the groups. The reason for this is that Azure is sending a list of group ids, but needs the Access group name. When ID Provider is Azure it uses the group id to fetch the group name from Azure Graph API endpoint, currently using v1. |
...
To turn on the feature a number of properties are added to the values.yaml
file. The properties of the file are described below.
Code Block | ||
---|---|---|
| ||
rp: # Activate/deactivate Usage Engine Private Edition as OIDC Relay Party enabled: false auth: # Available auth methods is CLIENT_SECRET_BASIC and PRIVATE_KEY_JWT method: "CLIENT_SECRET_BASIC" client: # Client id id: "" # Client secret is only used when the method is CLIENT_SECRET_BASIC # Uncomment if credentials are not already provided through secret "oidc-rp-secret" #secret: "" # JWT section only used when method is PRIVATE_KEY_JWT jwt: #Opional ID Provider KeyId keyId: jks: secret: #Name of secret to store jks name: #Key Alias alias: #Key password # Uncomment if credentials are not already provided through secret "oidc-rp-secret" #password: #Keystore password # Uncomment if credentials are not already provided through secret "oidc-rp-secret" #storePassword: provider: # Base URL for Identity Provider # URL before /.well-known/openid-configuration # Eg. https://login.microsoftonline.com/<tenant_ID>/v2.0 url: # Name of Provider, eg. Azure name: "" # Path in UserInfo or ID Token to find access groups mapping, separated by dot (.) # The groups should be a array of Strings. # *** ExampelExample *** # Here is the groups array inside a object. # { myObject : { myGroups : [ "myGroup1", "mygroup2" ] } } # The path should then be: # groupPath: myObject.myGroups # When the groups array is direct under UserInfo then groupPath is just the # name of the groups array. groupPath: # Claim to use for Username userNameClaim: # Additional scopes scopes: |
...
When method: "PRIVATE_KEY_JWT" is used the section jwt needs to be defienddefined.
In addition to the values in the helm values file, a Java Keystore in JKS format also needs to be created and put into a Kubernetes Secret. The name of the keystore needs to be ssokeystore.jks. The key algorithm needs to be RSA or EC. The signing algorithm of the JWT used to authenticate to the Token Endpoint will be RS256 for RSA keys and ES256 for EC keys.
The script below shows how these can be generated and stored in the Secret. Note that this will generate a self-signed certificate, which is not suitable for use in publicly exposed interfaces. Make sure to set the parameters in the beginning of the script before using. This script produces the ssokeystore.jks
and create a secret of it. It also produces the file publicCertfile publicCert.pem
, this file should be uploaded to the ID provider in advance.
...