Enabling Single Sign-On (SSO) for Azure RedHat OpenShift (ARO) cluster using Azure AD
Step-by-step guide on integrating Azure AD authentication with ARO.
In the previous post, we saw how we can create a managed OpenShift cluster on Azure using ARO. One of the frequent requests from customers on the Azure cloud is to have integration with Azure Active Directory (AAD). In this post, we will see how we can enable single-sign-on for our OpenShift cluster with AAD.
Configure Service Principal
Add Optional Claims
For our service principal (SPN), we will need to add additional claims. To do that, open your registered app under
App Registrations and click on
Token configuration. Then click
Add optional claim and add
Add and you will probably additional confirmation and click the checkbox on the dialogue and then click
If you now go to
API permissions tab, you will see your changes reflected.
Token configuration you will see the claims you just added.
By default app registered in the Azure tenant is by default available for every authenticated user. For the sake of this post, we will assume every user can login to our OpenShift cluster.
Add Redirect URI
We will need to configure the callback URL as a redirect URI for our App Registration. You can get the call back URL via Azure CLI
domain=$(az aro show -g $RESOURCEGROUP -n $CLUSTER --query clusterProfile.domain -o tsv)location=$(az aro show -g $RESOURCEGROUP -n $CLUSTER --query location -o tsv)echo "OAuth callback URL: https://oauth-openshift.apps.$domain.$location.aroapp.io/oauth2callback/AAD"
Authentication blade of the App registration, click on
Add a platform and click on
Redirect URIs enter the OAuth callback URL you got in the previous step.
Configure OpenShift to use AAD
kubeadmin user using the below command.
Cluster Settings, then select
Global Configuration tab.
Identity Providers select
Add dropdown and select
OpenId Connect .
You will be prompted for details about the SPN and you will need to fill them as below.
- Client ID: This is the
ApplicationIdof our App Registration/SPN
- Client secret: This is the secret you created for the SPN (see the previous post)
- Issuer URL: This is of the format `
<YOUR_TENANT_ID>with the correct tenant id for your App Registration.
You can get all these details from the
Overview page for the App registration.
Testing AAD authentication
If everything is correct, you should now be prompted to log in using AAD.
AAD and you should be prompted to log in using Microsoft AAD login
Enter the correct password and you should be into the cluster.
That’s it for this post. Hope you enjoyed reading it!