can act as a Relaying Party in the OpenID Connect 1.0 flow. https://openid.net/specs/openid-connect-core-1_0.html
...
Info |
---|
title | Azure as Identity Provider |
---|
|
When Azure is used as an ID provider, ensure to set the property auth.oidc.rp.provider.name to Azure to be able to fetch the groups. The reason for this is that Azure is sending a list of group ids, but needs the Access group name. When ID Provider is Azure it uses the group id to fetch the group name from Azure Graph API endpoint, currently using v1. |
Configuration
To turn on the feature a number of properties are added to the values.yaml
file. The properties of the file are described below.
Code Block |
---|
|
rp:
# Activate/deactivate Usage Engine Private Edition as OIDC Relay Party
enabled: false
auth:
# Available auth methods is CLIENT_SECRET_BASIC and PRIVATE_KEY_JWT
method: "CLIENT_SECRET_BASIC"
client:
# Client id
id: ""
# Client secret is only used when the method is CLIENT_SECRET_BASIC
# Uncomment if credentials are not already provided through secret "oidc-rp-secret"
#secret: ""
# JWT section only used when method is PRIVATE_KEY_JWT
jwt:
#Opional ID Provider KeyId
keyId:
jks:
secret:
#Name of secret to store jks
name:
#Key Alias
alias:
#Key password
# Uncomment if credentials are not already provided through secret "oidc-rp-secret"
#password:
#Keystore password
# Uncomment if credentials are not already provided through secret "oidc-rp-secret"
#storePassword:
provider:
# Base URL for Identity Provider
# URL before /.well-known/openid-configuration
# Eg. https://login.microsoftonline.com/<tenant_ID>/v2.0
url:
# Name of Provider, eg. Azure
name: ""
# Path in UserInfo or ID Token to find access groups mapping, separated by dot (.)
# The groups should be a array of Strings.
# *** Example ***
# Here is the groups array inside a object.
# { myObject : { myGroups : [ "myGroup1", "mygroup2" ] } }
# The path should then be:
# groupPath: myObject.myGroups
# When the groups array is direct under UserInfo then groupPath is just the
# name of the groups array.
groupPath:
# Claim to use for Username
userNameClaim:
# Additional scopes
scopes: |
Kubernetes Secret
Credentials can be written into a Secret object named env-secrets prior to installation.
Info |
---|
title | Example - Secret object |
---|
|
Code Block |
---|
$ kubectl create secret generic oidc-rp-secrets -n <namespace> \
--from-literal=keystorePassword="<password>" \
--from-literal=keyPassword="<password>" \
--from-literal=clientSecret="<secret>" |
|
Helm Values
Credentials can also be provided through values to Helm, by providing them in values.yaml or by passing them on the command line.
Info |
---|
title | Example - Helm credentials |
---|
|
Code Block |
---|
$ helm install <release_name> ./usage-engine-private-edition --wait --timeout=5m --namespace <namespace> \
--set auth.oidc.rp.auth.jwt.jks.storePassword="<password>" \
--set auth.oidc.rp.auth.jwt.jks.password="<password>" \
--set auth.oidc.rp.auth.client.secret="<secret>" |
|
Private Key Authentication
When method: "PRIVATE_KEY_JWT" is used the section jwt needs to be defined.
...