Troubleshooting identity provider issues within OpenShift ACS
Updated -
To help in clarifying common confusions regarding SAML and identity providers, below are a few points around identity terminology;
- Identity Provider (IdP) An entity which provides identity management services such as Okta, Ping, One Login, etc.
- Service Provider (SP) The entity which receives SAML assertions from the IdP.
- Assertion Consumer Service URL (ACS URL) The URL provided from the SP over which the SAML assertions are made from the Identity Provider.
SAML
- For details on how to setup a SAML 2.0 IdP, please review the OpenShift ACS documentation Configuring a SAML 2.0 identity provider in Red Hat Advanced Cluster Security for Kubernetes. The documentation includes an example of setting up Okta as a SAML 2.0 provider.
- Should additional assistance be necessary via a Red Hat Support case, please gather the following details:
- What is the name of the SAML 2.0 provider?
- Is the Dynamic or Static configuration option used?
-
If the Dynamic configuration option is used, have applying the values to the Static configuration been tested? Below are instructions on doing so:
- Take the IdP issuer from the
entityID
attribute of the top-level metadata XML file - Take the certificate from data under
KeyDescriptor use="signing"
- Take SSO URL from
Location
attribute ofmd:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
- Select one of the
NameIDFormats
listed underNameIDFormat
(such asurn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
, but you can always tryurn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
, regardless of what’s in the metadata file)
- Take the IdP issuer from the
-
If Static configuration was used and/or tested like above, was information added to the Name/ID Format field?
- Is login failing? If yes, please provide a screenshot of the error message.
- If directed to a non-Red Hat ACS error page, please provide a screen-shot of this.
- A copy of the XML file sent from the IdP to the SP.
OIDC
- For details on how to setup an OIDC IdP, please review the OpenShift ACS documentation Configuring an OIDC identity provider in Red Hat Advanced Cluster Security for Kubernetes. The documentation includes and example of setting up Google Workspace as an OIDC provider.
- Should additional assistance be necessary via a Red Hat Support case, please gather the following details:
- What is the name of the OIDC provider?
-
The OIDC discovery configuration.
- This will be found in the following formats:
<issuer>/.well-known/openid-configuration
orhttps://<issuer>/.well-known/openid-configuration
. - For example;
https://accounts.google.com/.well-known/openid-configuration
orhttps://sr-dev.auth0.com/.well-known/openid-configuration
- This will be found in the following formats:
-
Is login failing? If yes, please provide a screenshot of the error message.
- If directed to a non-Red Hat ACS error page, please provide a screen-shot of this.
Comments