IMPORTANT NOTE: This site is not official Red Hat documentation and is provided for informational purposes only. These guides may be experimental, proof of concept, or early adoption. Officially supported documentation is available at docs.openshift.com and access.redhat.com.
Configure Azure AD as an OIDC identity provider for ROSA/OSD
Andrea Bozzoni, Steve Mirman
27 October 2021
The steps to add Azure AD as an identity provider for Red Hat OpenShift on AWS (ROSA) and OpenShift Dedicated (OSD) are:
- Define the OAuth callback URL
- Register a new Webapp on Azure AD
- Create the client secret
- Configure the Token
- Configure the OAuth identity provider in OCM
Define the OAuth callback URL
You can find the callback URL in OpenShift Cluster Manager (OCM)
-
Select your cluster in OCM and then go to the ‘Access control’ tab.
-
Pick OpenID as identity provider from the identity providers list.
-
Give a name to the identity provider that we are adding to the OCP cluster
-
Keep the OAuth callback URL to use later.
Note: the OAuth Callback has the following format:
https://oauth-openshift.apps.<cluster_name>.<cluster_domain>/oauth2callback/<idp_name>
Register a new Webapp on Azure AD
Access your Azure account and select the Azure Active Directory service and execute the following steps:
-
From the main menu add a new Webapp
-
Set the Name to
or something else unique to the cluster, set the **Redirect URI** to the callback URL from above and click 'Register' -
Remember Application (client) ID and Directory (tenant) ID to be used later
Create the client secret
-
Create a new Secret for the Webapp
-
Remember the Secret ID to be used later in the OCM OAuth configuration
Configure the Token
-
Create a new token configuration
-
Select upn and email as optional claims
-
Specify that the claim must be returned in the token.
Configure the OAuth identity provider in OCM
-
In the OCM fill all the fields with the values collected during the registration of the new Webapp in the Azure AD and click the ‘Add’ button.
-
After a few minutes the Azure AD authentication methos will be available in the OpenShift console login screen