Utkarsh Shigihalli
Published in

Utkarsh Shigihalli

OpenShift

Enabling Single Sign-On (SSO) for Azure RedHat OpenShift (ARO) cluster using Azure AD

Step-by-step guide on integrating Azure AD authentication with ARO.

In the previous post, we saw how we can create a managed OpenShift cluster on Azure using ARO. One of the frequent requests from customers on the Azure cloud is to have integration with Azure Active Directory (AAD). In this post, we will see how we can enable single-sign-on for our OpenShift cluster with AAD.

Configure Service Principal

Add Optional Claims

For our service principal (SPN), we will need to add additional claims. To do that, open your registered app under App Registrations and click on Token configuration. Then click Add optional claim and add email and upn claims.

Add additional claims to SPN

Click Add and you will probably additional confirmation and click the checkbox on the dialogue and then click Add.

If you now go to API permissions tab, you will see your changes reflected.

Finally under Token configuration you will see the claims you just added.

By default app registered in the Azure tenant is by default available for every authenticated user. For the sake of this post, we will assume every user can login to our OpenShift cluster.

Add Redirect URI

We will need to configure the callback URL as a redirect URI for our App Registration. You can get the call back URL via Azure CLI

domain=$(az aro show -g $RESOURCEGROUP -n $CLUSTER --query clusterProfile.domain -o tsv)location=$(az aro show -g $RESOURCEGROUP -n $CLUSTER --query location -o tsv)echo "OAuth callback URL: https://oauth-openshift.apps.$domain.$location.aroapp.io/oauth2callback/AAD"

Under Authentication blade of the App registration, click on Add a platform and click on Web

Then under Redirect URIs enter the OAuth callback URL you got in the previous step.

Configure OpenShift to use AAD

Login as kubeadmin user using the below command.

Navigate to Administration and Cluster Settings, then select Global Configuration tab.

Now under Identity Providers select Add dropdown and select OpenId Connect .

You will be prompted for details about the SPN and you will need to fill them as below.

  • Client ID: This is the ApplicationId of our App Registration/SPN
  • Client secret: This is the secret you created for the SPN (see the previous post)
  • Issuer URL: This is of the format `https://login.microsoftonline.com/<YOUR_TENANT_ID> . Replace <YOUR_TENANT_ID> with the correct tenant id for your App Registration.

You can get all these details from the Overview page for the App registration.

App registration Overview page

Testing AAD authentication

If everything is correct, you should now be prompted to log in using AAD.

Click on AAD and you should be prompted to log in using Microsoft AAD login

Enter the correct password and you should be into the cluster.

That’s it for this post. Hope you enjoyed reading it!

Recommended from Medium

Program Level Across Popular Scaling Agile Methodologies

Download Ome TV Mod Apk 2022 No Login, No Banned

Download Ome TV Mod Apk 2022 No Login, No Banned

Test Driven Development, Robots and Lego

PLM Fundamentals — Bill of Materials and Part Number

CS373 Spring 2022: Maria Gu

👨🏻‍💻How to create docker container and run Machine learning code in it?

To Code OR Not to Code

WTF is Big O notation?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Utkarsh Shigihalli

Utkarsh Shigihalli

Microsoft MVP | Developer | Passionate about Cloud, .NET and DevOps

More from Medium

Requirements for Installing IBM Cloud Pak on Azure Redhat Openshift (ARO)

Grafana with Azure AD Authentication

Celebal Technologies has earned the Kubernetes on Microsoft Azure Advanced Specialization

Move IAM Access Between Azure Subscription