Troubleshooting identity provider issues within OpenShift ACS

To help in clarifying common confusions regarding SAML and identity providers, below are a few points around identity terminology;

• Identity Provider (IdP) An entity which provides identity management services such as Okta, Ping, One Login, etc.
• Service Provider (SP) The entity which receives SAML assertions from the IdP.
• Assertion Consumer Service URL (ACS URL) The URL provided from the SP over which the SAML assertions are made from the Identity Provider.

SAML

• For details on how to setup a SAML 2.0 IdP, please review the OpenShift ACS documentation Configuring a SAML 2.0 identity provider in Red Hat Advanced Cluster Security for Kubernetes. The documentation includes an example of setting up Okta as a SAML 2.0 provider.
• Should additional assistance be necessary via a Red Hat Support case, please gather the following details:

1. What is the name of the SAML 2.0 provider?
2. Is the Dynamic or Static configuration option used?

3. If the Dynamic configuration option is used, have applying the values to the Static configuration been tested? Below are instructions on doing so:

   • Take the IdP issuer from the entityID attribute of the top-level metadata XML file
   • Take the certificate from data under KeyDescriptor use="signing"
   • Take SSO URL from Location attribute of md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
   • Select one of the NameIDFormats listed under NameIDFormat (such as urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress, but you can always try urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified, regardless of what’s in the metadata file)

4. If Static configuration was used and/or tested like above, was information added to the Name/ID Format field?

5. Is login failing? If yes, please provide a screenshot of the error message.
6. If directed to a non-Red Hat ACS error page, please provide a screen-shot of this.
7. A copy of the XML file sent from the IdP to the SP.

OIDC

• For details on how to setup an OIDC IdP, please review the OpenShift ACS documentation Configuring an OIDC identity provider in Red Hat Advanced Cluster Security for Kubernetes. The documentation includes and example of setting up Google Workspace as an OIDC provider.
• Should additional assistance be necessary via a Red Hat Support case, please gather the following details:

1. What is the name of the OIDC provider?

2. The OIDC discovery configuration.

   • This will be found in the following formats: <issuer>/.well-known/openid-configuration or https://<issuer>/.well-known/openid-configuration.
   • For example; https://accounts.google.com/.well-known/openid-configuration or https://sr-dev.auth0.com/.well-known/openid-configuration

3. Is login failing? If yes, please provide a screenshot of the error message.

4. If directed to a non-Red Hat ACS error page, please provide a screen-shot of this.