Disclaimer: Mobb.ninja is not official Red Hat documentation - These guides may be experimental, proof of concept or early adoption. Officially supported documentation is available at https://docs.openshift.com.
Using Group Sync Operator with Azure Active Directory and ROSA/OSD
8 November 2021
This guide focuses on how to synchronize Identity Provider (IDP) groups and users after configuring authentication in OpenShift Cluster Manager (OCM). For an IDP configuration example, please reference the Configure Azure AD as an OIDC identity provider for ROSA/OSD guide.
To set up group synchronization from Azure Active Directory (AD) to ROSA/OSD you must:
- Define groups and assign users in Azure AD
- Install the Group Sync Operator from the OpenShift Operator Hub
- Create and configure a new Group Sync instance
- Set a synchronization schedule
- Testing the synchronization process
Define groups and assign users in Azure AD
To synchronize groups and users with ROSA/OSD they must exist in Azure AD
Create groups to syncronize with ROSA/OSD if they do not already exist
Create user IDs to synchronize with ROSA/OSD if they do not already exist
Assign newly created ussers to the appropriate group
Install the Group Sync Operator from the OpenShift Operator Hub
In the OpenShift Operator Hub find the Group Sync Operator
Install the operator in the
Create and configure a new Group Sync instance
Create a new Group Sync instance in the
- Create a new secret named
azure-group-syncin the group-sync-operator namespace. For this you will need the following values:
Using the OpenShift CLI, create the secret using the following format:
oc create secret generic azure-group-sync \ --from-literal=AZURE_SUBSCRIPTION_ID=<insert-id> \ --from-literal=AZURE_TENANT_ID=<insert-id> \ --from-literal=AZURE_CLIENT_ID=<insert-id> \ --from-literal=AZURE_CLIENT_SECRET=<insert-secret>
Using the example below, customize the YAML to match the group names and save the configuration
apiVersion: redhatcop.redhat.io/v1alpha1 kind: GroupSync metadata: name: azure-groupsync namespace: group-sync-operator spec: providers: - azure: credentialsSecret: name: azure-group-sync namespace: group-sync-operator key: AZURE_CLIENT_SECRET groups: - rosa_admin - rosa_project_owner - rosa_viewer name: azure schedule: '* * * * *'
Set a synchronization schedule
The Group Sync Operator provides a cron based scheduling parameter for specifying how often the groups and users should be synchronized. This can be set in the instance YAML file during initial configuration or at any time after.
The schedule setting of
schedule: * * * * * would result in synchronization occuring every minute.
Testing the synchronization process
Before testing the synchronization, ensure that your Registered Azure Application has permissions for
Additionally, check to see if the Group Sync process has completed with a
Check to see that all the groups specified in the configuration YAML file show up in the ROSA/OSD Groups list
Validate that all users specified in Azure AD also show up as members of the associated group in ROSA/OSD
Add a new user in Azure AD and assign it to the admin group
Verify that the user now appears in ROSA/OSD (after the specified synchronization time)
Now delete a user from the Azure AD admin group
Verify the user has been deleted from the ROSA/OSD admin group