Home GitHub

IMPORTANT NOTE: This site is not official Red Hat documentation and is provided for informational purposes only. These guides may be experimental, proof of concept, or early adoption. Officially supported documentation is available at docs.openshift.com and access.redhat.com.

Configure Azure AD as an OIDC identity provider for ROSA/OSD

Andrea Bozzoni, Steve Mirman

27 October 2021

The steps to add Azure AD as an identity provider for Red Hat OpenShift on AWS (ROSA) and OpenShift Dedicated (OSD) are:

  1. Define the OAuth callback URL
  2. Register a new Webapp on Azure AD
  3. Create the client secret
  4. Configure the Token
  5. Configure the OAuth identity provider in OCM

Define the OAuth callback URL

You can find the callback URL in OpenShift Cluster Manager (OCM)

  1. Select your cluster in OCM and then go to the ‘Access control’ tab.

    ocm select access control tab

  2. Pick OpenID as identity provider from the identity providers list.

    ocm select OpenID as indenity provider

  3. Give a name to the identity provider that we are adding to the OCP cluster

    ocm set a name to the OpenID identity provider

  4. Keep the OAuth callback URL to use later.

    Note: the OAuth Callback has the following format:


Register a new Webapp on Azure AD

Access your Azure account and select the Azure Active Directory service and execute the following steps:

  1. From the main menu add a new Webapp

    azuread create a new webapp

  2. Set the Name to or something else unique to the cluster, set the **Redirect URI** to the callback URL from above and click 'Register'

    azuread add the callback URI

  3. Remember Application (client) ID and Directory (tenant) ID to be used later

    azuread display the Webapp info registration

Create the client secret

  1. Create a new Secret for the Webapp

    azuread create a new Webapp secret

  2. Remember the Secret ID to be used later in the OCM OAuth configuration

    azuread secret id

Configure the Token

  1. Create a new token configuration

    azuread create a new token configuration

  2. Select upn and email as optional claims

    azuread add token claims

  3. Specify that the claim must be returned in the token.

    azuread add token claim check

Configure the OAuth identity provider in OCM

  1. In the OCM fill all the fields with the values collected during the registration of the new Webapp in the Azure AD and click the ‘Add’ button.

    ocm fill the oauth fields

  2. After a few minutes the Azure AD authentication methos will be available in the OpenShift console login screen

    ocp login screen