|
| 1 | +:_content-type: ASSEMBLY |
| 2 | +[id="cloud-experts-entra-id-idp"] |
| 3 | += Tutorial: Configuring Microsoft Entra ID (formerly Azure Active Directory) as an identity provider |
| 4 | +include::_attributes/attributes-openshift-dedicated.adoc[] |
| 5 | +:context: cloud-experts-entra-id-idp |
| 6 | + |
| 7 | +toc::[] |
| 8 | + |
| 9 | +//Mobb content metadata |
| 10 | +//Brought into ROSA product docs 2023-09-18 |
| 11 | +// --- |
| 12 | +// date: '2022-09-19' |
| 13 | +// title: Configure ROSA to use Entra ID Group Claims |
| 14 | +// authors: |
| 15 | +// - Michael McNeill |
| 16 | +// - Paul Czarkowski |
| 17 | +// --- |
| 18 | + |
| 19 | +This tutorial demonstrates how to configure Microsoft Entra ID (formerly Azure Active Directory) as the cluster identity provider in {product-title} (ROSA). This tutorial walks through the creation of an Microsoft Entra ID (Entra ID) application and configure Red Hat OpenShift Service on AWS (ROSA) to authenticate using Azure AD. |
| 20 | + |
| 21 | +This tutorial walks through the following steps: |
| 22 | + |
| 23 | +. Register a new application in Entra ID for authentication. |
| 24 | +. Configure the application registration in Entra ID to include optional and group claims in tokens. |
| 25 | +. Configure the OpenShift cluster to use Entra ID as the identity provider. |
| 26 | +. Grant additional permissions to individual groups. |
| 27 | + |
| 28 | +[id="cloud-experts-entra-id-idp-prerequisites"] |
| 29 | +== Prerequisites |
| 30 | + |
| 31 | +Create a set of security groups and assign users by following link:https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/how-to-manage-groups[the Microsoft documentation]. |
| 32 | + |
| 33 | +[id="cloud-experts-entra-id-idp-register-application"] |
| 34 | +== Register a new application in Entra ID for authentication |
| 35 | + |
| 36 | +. Capture the OAuth callback URL |
| 37 | ++ |
| 38 | +First, construct the cluster's OAuth callback URL and make note of it. To do so, run the following command, making sure to replace the variable specified: |
| 39 | ++ |
| 40 | +The "AAD" directory at the end of the the OAuth callback URL should match the OAuth identity provider name you'll setup later. |
| 41 | ++ |
| 42 | +[source,terminal] |
| 43 | +---- |
| 44 | +$ domain=$(rosa describe cluster -c <cluster_name> | grep "DNS" | grep -oE '\S+.openshiftapps.com') |
| 45 | +$ echo "OAuth callback URL: https://oauth-openshift.apps.$domain/oauth2callback/AAD" |
| 46 | +---- |
| 47 | + |
| 48 | +. Register a new application in Entra ID |
| 49 | ++ |
| 50 | +You need to create the Entra ID application itself. To do so, log in to the Azure portal, and navigate to link:https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade[App registrations blade], and click on "New registration" to create a new application. |
| 51 | ++ |
| 52 | +image:azure-portal_app-registrations-blade.png[Azure Portal - App registrations blade] |
| 53 | ++ |
| 54 | +Provide a name for the application, for example `openshift-auth`. Select "Web" from the Redirect URI dropdown and fill in the Redirect URI using the value of the OAuth callback URL you retrieved in the previous step. Once you fill in the necessary information, click "Register" to create the application. |
| 55 | ++ |
| 56 | +image:azure-portal_register-an-application-page.png[Azure Portal - Register an application page] |
| 57 | ++ |
| 58 | +Then, click on the "Certificates & secrets" sub-blade and select "New client secret". Fill in the details request and make note of the generated client secret value, as you'll use it in a later step. You won't be able to retrieve it again. |
| 59 | ++ |
| 60 | +image:azure-portal_certificates-secrets-page.png[Azure Portal - Certificates & secrets page] |
| 61 | +image:azure-portal_add-a-client-secret-page.png[Azure Portal - Add a Client Secret page] |
| 62 | +image:azure-portal_copy-client-secret-page.png[Azure Portal - Copy Client Secret page] |
| 63 | ++ |
| 64 | +Then, click on the "Overview" sub-blade and make note of the "Application (client) ID" and "Directory (tenant) ID". You'll need those values in a later step as well. |
| 65 | + |
| 66 | +[id="rosa-mobb-entra-id-configure-optional-claims"] |
| 67 | +== Configure optional claims |
| 68 | + |
| 69 | +To provide OpenShift with enough information about the user to create their account, we will configure Entra ID to provide two optional claims, specifically "email" and "preferred_username". For more information on optional claims in Entra ID, see link:https://learn.microsoft.com/en-us/azure/active-directory/develop/optional-claims[the Microsoft documentation]. |
| 70 | + |
| 71 | +Click on the "Token configuration" sub-blade and select the "Add optional claim" button. |
| 72 | + |
| 73 | +image:azure-portal_optional-claims-page.png[Azure Portal - Add Optional Claims Page] |
| 74 | + |
| 75 | +Select ID then check the "email" and "preferred_username" claims and click the "Add" button to configure them for your Entra ID application. |
| 76 | + |
| 77 | +image:azure-portal_add-optional-claims-page.png[Azure Portal - Add Optional Claims - Token Type] |
| 78 | +image:azure-portal_add-optional-email-claims-page.png[Azure Portal - Add Optional Claims - email] |
| 79 | +image:azure-portal_add-optional-preferred_username-claims-page.png[Azure Portal - Add Optional Claims - preferred_username] |
| 80 | + |
| 81 | +When prompted, follow the prompt to enable the necessary Microsoft Graph permissions. |
| 82 | + |
| 83 | +image:azure-portal_add-optional-claims-graph-permissions-prompt.png[Azure Portal - Add Optional Claims - Graph Permissions Prompt] |
| 84 | + |
| 85 | +[id="rosa-mobb-entra-id-configure-group-claims"] |
| 86 | +== Configure group claims (optional) |
| 87 | + |
| 88 | +In addition to individual user authentication, OpenShift provides group claim functionality. This functionality allows an OpenID Connect identity provider, like Entra ID, to offer a user’s group membership for use within OpenShift. To enable group claims, we will configure Entra ID to provide a groups claim. |
| 89 | + |
| 90 | +Next, select the "Add groups claim" button. |
| 91 | + |
| 92 | +image:azure-portal_optional-group-claims-page.png[Azure Portal - Add Groups Claim Page] |
| 93 | + |
| 94 | +Select the "Security groups" option and click the "Add" button to configure group claims for your Entra ID application. |
| 95 | + |
| 96 | +[NOTE] |
| 97 | +==== |
| 98 | +In this example, we are providing all security groups a user is a member of via the group claim. In a real production environment, we highly recommend scoping the groups provided by the group claim to _only those groups which are applicable to OpenShift_. |
| 99 | +==== |
| 100 | + |
| 101 | +image:azure-portal_edit-group-claims-page.png[Azure Portal - Edit Groups Claim Page] |
| 102 | + |
| 103 | +[id="cloud-experts-entra-id-idp-configure-cluster"] |
| 104 | +== Configure the OpenShift cluster to use Entra ID as the identity provider |
| 105 | + |
| 106 | +Finally, we need to configure OpenShift to use Entra ID as its identity provider. While Red Hat OpenShift Service on AWS (ROSA) offers the ability to configure identity providers via the OpenShift Cluster Manager (OCM), we will use the configure the cluster's OAuth provider to use Entra ID as its identity provider via the `rosa` CLI. Before we can do so, we need to set some variables that we will use for our IDP configuration by running the following command: |
| 107 | + |
| 108 | +[source,terminal] |
| 109 | +---- |
| 110 | +$ CLUSTER_NAME=example-cluster <1> |
| 111 | +$ IDP_NAME=AAD <2> |
| 112 | +$ APP_ID=yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy <3> |
| 113 | +$ CLIENT_SECRET=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx <4> |
| 114 | +$ TENANT_ID=zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz <5> |
| 115 | +---- |
| 116 | +-- |
| 117 | +<1> Replace this with the name of your ROSA cluster. |
| 118 | +<2> Replace this with the name you used in the OAuth callback URL. |
| 119 | +<3> Replace this with the Application (client) ID. |
| 120 | +<4> Replace this with the Client Secret. |
| 121 | +<5> Replace this with the Directory (tenant) ID. |
| 122 | +-- |
| 123 | + |
| 124 | +Next, run the following command to configure the cluster's OAuth provider if you opted to enable group claims: |
| 125 | + |
| 126 | +[source,terminal] |
| 127 | +---- |
| 128 | +$ rosa create idp \ |
| 129 | +--cluster ${CLUSTER_NAME} \ |
| 130 | +--type openid \ |
| 131 | +--name ${IDP_NAME} \ |
| 132 | +--client-id ${APP_ID} \ |
| 133 | +--client-secret ${CLIENT_SECRET} \ |
| 134 | +--issuer-url https://login.microsoftonline.com/${TENANT_ID}/v2.0 \ |
| 135 | +--email-claims email \ |
| 136 | +--name-claims name \ |
| 137 | +--username-claims preferred_username \ |
| 138 | +--extra-scopes email,profile \ |
| 139 | +--groups-claims groups |
| 140 | +---- |
| 141 | + |
| 142 | +Otherwise, run the following command to configure the cluster's OAuth provider if you opted to not enable group claims: |
| 143 | + |
| 144 | +[source,terminal] |
| 145 | +---- |
| 146 | +$ rosa create idp \ |
| 147 | +--cluster ${CLUSTER_NAME} \ |
| 148 | +--type openid \ |
| 149 | +--name ${IDP_NAME} \ |
| 150 | +--client-id ${APP_ID} \ |
| 151 | +--client-secret ${CLIENT_SECRET} \ |
| 152 | +--issuer-url https://login.microsoftonline.com/${TENANT_ID}/v2.0 \ |
| 153 | +--email-claims email \ |
| 154 | +--name-claims name \ |
| 155 | +--username-claims preferred_username \ |
| 156 | +--extra-scopes email,profile |
| 157 | +---- |
| 158 | + |
| 159 | +[id="rosa-mobb-azure-oidc-grant-permissions"] |
| 160 | +== Grant additional permissions to individual users |
| 161 | + |
| 162 | +Once the cluster authentication Operator reconciles your changes (generally within a few minutes), you will be able to log in to the cluster using Entra ID. |
| 163 | + |
| 164 | +Once you log in, you will notice that you have very limited permissions. This is because, by default, OpenShift only grants you the ability to create new projects (namespaces) in the cluster. Other projects (namespaces) are restricted from view. |
| 165 | + |
| 166 | +OpenShift includes a significant number of pre-configured roles, including the `cluster-admin` role that grants full access and control over the cluster. To grant your user access to the `cluster-admin` role, run the following command: |
| 167 | + |
| 168 | +[source,terminal] |
| 169 | +---- |
| 170 | +$ rosa grant user cluster-admin \ |
| 171 | + --user=<USERNAME> <1> |
| 172 | + --cluster=${CLUSTER_NAME} |
| 173 | +---- |
| 174 | +-- |
| 175 | +<1> Provide your Entra ID username that you would like to have cluster admin permissions. |
| 176 | +-- |
| 177 | + |
| 178 | +[id="cloud-experts-entra-id-idp-additional-permissions"] |
| 179 | +== Grant additional permissions to individual groups |
| 180 | + |
| 181 | +If you opted to enable group claims, the cluster OAuth provider will automatically create or update the membership of groups the user is a member of (using the group ID). The cluster OAuth provider **does not** automatically create RoleBindings and ClusterRoleBindings for the groups that are created, you are responsible for creating those via your own processes. |
| 182 | + |
| 183 | +OpenShift includes a significant number of pre-configured roles, including the `cluster-admin` role that grants full access and control over the cluster. To grant an automatically generated group access to the `cluster-admin` role, you must create a ClusterRoleBinding to the group ID. |
| 184 | + |
| 185 | +[source,terminal] |
| 186 | +---- |
| 187 | +$ oc create clusterrolebinding cluster-admin-group \ |
| 188 | +--clusterrole=cluster-admin \ |
| 189 | +--group=<GROUP_ID> <1> |
| 190 | +---- |
| 191 | +-- |
| 192 | +<1> Provide your Entra ID group ID that you would like to have cluster admin permissions. |
| 193 | +-- |
| 194 | + |
| 195 | +Now, any user in the specified group will automatically be granted `cluster-admin` access. |
| 196 | + |
| 197 | +For more information on how to use RBAC to define and apply permissions in OpenShift, see link:https://docs.openshift.com/container-platform/latest/authentication/using-rbac.html[the OpenShift documentation]. |
0 commit comments