Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 10. Tutorial: Configuring Microsoft Entra ID (formerly Azure Active Directory) as an identity provider

You can configure Microsoft Entra ID (formerly Azure Active Directory) as the cluster identity provider in Red Hat OpenShift Service on AWS classic architecture (ROSA).

This tutorial guides you to complete the following tasks:

  1. Register a new application in Entra ID for authentication.
  2. Configure the application registration in Entra ID to include optional and group claims in tokens.
  3. Configure the Red Hat OpenShift Service on AWS classic architecture cluster to use Entra ID as the identity provider.
  4. Grant additional permissions to individual groups.

10.1. Prerequisites
Copy link

To register your application in Entra ID, first create the OAuth callback URL, then register your application.

Procedure

  1. Create the cluster’s OAuth callback URL by changing the specified variables and running the following command:

    Note

    Remember to save this callback URL; it will be required later in the process. 

    $ domain=$(rosa describe cluster -c <cluster_name> | grep "DNS" | grep -oE '\S+.openshiftapps.com')
echo "OAuth callback URL: https://oauth.${domain}/oauth2callback/AAD"
    Copy to Clipboard Toggle word wrap

    The "AAD" directory at the end of the OAuth callback URL must match the OAuth identity provider name that you will set up later in this process.

  2. Create the Entra ID application by logging in to the Azure portal, and select the App registrations blade. Then, select New registration to create a new application.

    Azure Portal - App registrations blade

  3. Name the application, for example openshift-auth.
  4. Select Web from the Redirect URI dropdown and enter the value of the OAuth callback URL you retrieved in the previous step.

  5. After providing the required information, click Register to create the application.

    Azure Portal - Register an application page

  6. Select the Certificates & secrets sub-blade and select New client secret.

    Azure Portal - Certificates and secrets page

  7. Complete the requested details and store the generated client secret value. This secret is required later in this process.

    Important

    After initial setup, you cannot see the client secret. If you did not record the client secret, you must generate a new one.

    Azure Portal - Add a Client Secret page

  8. Select the Overview sub-blade and note the Application (client) ID and Directory (tenant) ID. You will need these values in a future step.

    Azure Portal - Copy Client Secret page

So that Red Hat OpenShift Service on AWS classic architecture has enough information to create the user’s account, you must configure Entra ID to give two optional claims: email and preferred_username. For more information about optional claims in Entra ID, see the Microsoft documentation.

In addition to individual user authentication, Red Hat OpenShift Service on AWS classic architecture provides group claim functionality. This functionality allows an OpenID Connect (OIDC) identity provider, such as Entra ID, to offer a user’s group membership for use within Red Hat OpenShift Service on AWS classic architecture.

10.3.1. Configuring optional claims
Copy link

You can configure the optional claims in Entra ID.

  1. Click the Token configuration sub-blade and select the Add optional claim button.

    Azure Portal - Add Optional Claims Page

  2. Select the ID radio button.

    Azure Portal - Add Optional Claims - Token Type

  3. Select the email claim checkbox.

    Azure Portal - Add Optional Claims - email

  4. Select the preferred_username claim checkbox. Then, click Add to configure the email and preferred_username claims your Entra ID application.

    Azure Portal - Add Optional Claims - preferred_username

  5. A dialog box appears at the top of the page. Follow the prompt to enable the necessary Microsoft Graph permissions.

    Azure Portal - Add Optional Claims - Graph Permissions Prompt

10.3.2. Configuring group claims (optional)
Copy link

Configure Entra ID to offer a groups claim.

Procedure

  1. From the Token configuration sub-blade, click Add groups claim.

    Azure Portal - Add Groups Claim Page

  2. To configure group claims for your Entra ID application, select Security groups and then click the Add.

    Note

    In this example, the group claim includes all of the security groups that a user is a member of. In a real production environment, ensure that the groups that the group claim only includes groups that apply to Red Hat OpenShift Service on AWS classic architecture.

    Azure Portal - Edit Groups Claim Page

You must configure Red Hat OpenShift Service on AWS classic architecture to use Entra ID as its identity provider.

Although ROSA offers the ability to configure identity providers by using OpenShift Cluster Manager, use the ROSA CLI to configure the cluster’s OAuth provider to use Entra ID as its identity provider. Before configuring the identity provider, set the necessary variables for the identity provider configuration.

Procedure

  1. Create the variables by running the following command: 

    $ CLUSTER_NAME=example-cluster
    1 
    
$ IDP_NAME=AAD
    2 
    
$ APP_ID=yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy
    3 
    
$ CLIENT_SECRET=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
    4 
    
$ TENANT_ID=zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz
    5
    Copy to Clipboard Toggle word wrap
    1
    Replace this with the name of your ROSA cluster.
    2
    Replace this value with the name you used in the OAuth callback URL that you generated earlier in this process.
    3
    Replace this with the Application (client) ID.
    4
    Replace this with the Client Secret.
    5
    Replace this with the Directory (tenant) ID.

  2. Configure the cluster’s OAuth provider by running the following command. If you enabled group claims, ensure that you use the --group-claims groups argument.

    • If you enabled group claims, run the following command: 

      $ rosa create idp \
--cluster ${CLUSTER_NAME} \
--type openid \
--name ${IDP_NAME} \
--client-id ${APP_ID} \
--client-secret ${CLIENT_SECRET} \
--issuer-url https://login.microsoftonline.com/${TENANT_ID}/v2.0 \
--email-claims email \
--name-claims name \
--username-claims preferred_username \
--extra-scopes email,profile \
--groups-claims groups
      Copy to Clipboard Toggle word wrap

    • If you did not enable group claims, run the following command: 

      $ rosa create idp \
--cluster ${CLUSTER_NAME} \
--type openid \
--name ${IDP_NAME} \
--client-id ${APP_ID} \
--client-secret ${CLIENT_SECRET} \
--issuer-url https://login.microsoftonline.com/${TENANT_ID}/v2.0 \
--email-claims email \
--name-claims name \
--username-claims preferred_username \
--extra-scopes email,profile
      Copy to Clipboard Toggle word wrap

After a few minutes, the cluster authentication Operator reconciles your changes, and you can log in to the cluster by using Entra ID.

When your first log in, you might notice that you have very limited permissions. By default, Red Hat OpenShift Service on AWS classic architecture only grants you the ability to create new projects, or namespaces, in the cluster. Other projects are restricted from view.

You must grant these additional abilities to individual users and groups.

Red Hat OpenShift Service on AWS classic architecture includes a significant number of preconfigured roles, including the cluster-admin role that grants full access and control over the cluster.

Procedure

  • Grant a user access to the cluster-admin role by running the following command: 

    $ rosa grant user cluster-admin \
    --user=<USERNAME>
    1 
    
    --cluster=${CLUSTER_NAME}
    Copy to Clipboard Toggle word wrap
    1
    Provide the Entra ID username that you want to have cluster admin permissions.

If you opted to enable group claims, the cluster OAuth provider automatically creates or updates the user’s group memberships by using the group ID. The cluster OAuth provider does not automatically create RoleBindings and ClusterRoleBindings for the groups that are created; you are responsible for creating those bindings by using your own processes.

To grant an automatically generated group access to the cluster-admin role, you must create a ClusterRoleBinding to the group ID.

Procedure

  • Create the ClusterRoleBinding by running the following command: 

    $ oc create clusterrolebinding cluster-admin-group \
--clusterrole=cluster-admin \
--group=<GROUP_ID>
    1
    Copy to Clipboard Toggle word wrap
    1
    Provide the Entra ID group ID that you want to have cluster admin permissions.

    Now, any user in the specified group automatically receives cluster-admin access.

Back to top
Red Hat logoGithubredditYoutubeTwitter

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat