| title | description | ms.service | ms.topic | ms.date | author | ms.author | keywords | ms.custom |
|---|---|---|---|---|---|---|---|---|
Azure Red Hat OpenShift running OpenShift 4 - Configure Azure Active Directory authentication using the Azure portal and the OpenShift web console |
Learn how to configure Azure Active Directory authentication for an Azure Red Hat OpenShift cluster running OpenShift 4 using the Azure portal and the OpenShift web console |
azure-redhat-openshift |
article |
03/12/2020 |
sabbour |
asabbour |
aro, openshift, az aro, red hat, cli |
mvc, devx-track-azurecli |
If you choose to install and use the CLI locally, this tutorial requires that you are running the Azure CLI version 2.6.0 or later. Run az --version to find the version. If you need to install or upgrade, see Install Azure CLI.
Construct the cluster's OAuth callback URL and make note of it. Make sure to replace aro-rg with your resource group's name and aro-cluster with your cluster's name.
Note
The AAD section in the OAuth callback URL should match the OAuth identity provider name you'll setup later.
domain=$(az aro show -g aro-rg -n aro-cluster --query clusterProfile.domain -o tsv)
location=$(az aro show -g aro-rg -n aro-cluster --query location -o tsv)
echo "OAuth callback URL: https://oauth-openshift.apps.$domain.$location.aroapp.io/oauth2callback/AAD"
Login to the Azure portal, and navigate to App registrations blade, then click on New registration to create a new application.
Provide a name for the application, for example aro-azuread-auth, and fill in the Redirect URI using the value of the OAuth callback URL you retrieved earlier.
Navigate to Certificates & secrets and click on New client secret and fill in the details. Make note of the key value, as you'll use it in a later stage. You won't be able to retrieve it again.
Navigate to the Overview and make note of the Application (client) ID and Directory (tenant) ID. You'll need them in a later stage.
Application developers can use optional claims in their Azure AD applications to specify which claims they want in tokens sent to their application.
You can use optional claims to:
- Select additional claims to include in tokens for your application.
- Change the behavior of certain claims that Azure AD returns in tokens.
- Add and access custom claims for your application.
We'll configure OpenShift to use the email claim and fall back to upn to set the Preferred Username by adding the upn as part of the ID token returned by Azure Active Directory.
Navigate to Token configuration (preview) and click on Add optional claim. Select ID then check the email and upn claims.
Applications registered in an Azure Active Directory (Azure AD) tenant are, by default, available to all users of the tenant who authenticate successfully. Azure AD allows tenant administrators and developers to restrict an app to a specific set of users or security groups in the tenant.
Follow the instructions on the Azure Active Directory documentation to assign users and groups to the app.
Retrieve the kubeadmin credentials. Run the following command to find the password for the kubeadmin user.
az aro list-credentials \
--name aro-cluster \
--resource-group aro-rg
The following example output shows the password will be in kubeadminPassword.
{
"kubeadminPassword": "<generated password>",
"kubeadminUsername": "kubeadmin"
}You can find the cluster console URL by running the following command, which will look like https://console-openshift-console.apps.<random>.<region>.aroapp.io/
az aro show \
--name aro-cluster \
--resource-group aro-rg \
--query "consoleProfile.url" -o tsv
Launch the console URL in a browser and login using the kubeadmin credentials.
Navigate to Administration, click on Cluster Settings, then select the Global Configuration tab. Scroll to select OAuth.
Scroll down to select Add under Identity Providers and select OpenID Connect.
Fill in the name as AAD, the Client ID as the Application ID and the Client Secret. The Issuer URL is formatted as such: https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx. Replace the placeholder with the Tenant ID you retrieved earlier.
Scroll down to the Claims section and update the Preferred Username to use the value from the upn claim.
If you now logout of the OpenShift Web Console and try to login again, you'll be presented with a new option to login with AAD. You may need to wait for a few minutes.
