Are OpenID Group Claims supported in OSD and ROSA

Solution Verified - Updated -

Environment

  • Red Hat OpenShift Service on AWS (ROSA)
    • 4
  • Red Hat OpenShift Dedicated (OSD)
    • 4

Issue

  • Unable to apply Group Claim Attribute to Cluster OAuth CustomResourceDefinition (CRD) in OSD4.
  • Cannot apply Group Claim Attribute to Cluster OAuth CRD in OSD and ROSA
  • Is Group Claim supported in OSD/ROSA clusters?

Resolution

Starting with rosa CLI 1.2.3, it's now possible to configure OpenID Group Claims in ROSA clusters, using the --groups-claims OpenID argument. There is more information about OpenID arguments in the documentation, but the --groups-claims is not yet documented there.

Note: Currently, it's not possible to apply that configuration through the OCM console. There is an internal task to allow it: HAC-2101.

Workaround for OSD

In OSD it's not possible to use the rosa command, and it's not yet possible to apply that configuration using the OCM console. For now, the configuration needs to be done using the unsupported ocm CLI tool.

Disclaimer: The following information has been provided by Red Hat, but is outside the scope of the posted Service Level Agreements and supported procedures. The information is provided as-is and any configuration settings or installed applications made from the information in this article could make the OpenShift cluster unsupported by Red Hat Global Support Services. The intent of this article is to provide information to accomplish the system's needs. Use of the information in this article at the user's own risk.

For configuring Group Claim in OSD:

  1. Create a file like the following one (changing the data as needed), with name openid.json:

    {
  "kind": "IdentityProvider",
  "challenge": true,
  "login": true,
  "mapping_method": "claim",
  "name": "OpenIDWithGroups",
  "open_id": {
    "claims": {
      "email": [
        "email"
      ],
      "groups": [
        "group-name"
      ],
      "name": [
        "full-name"
      ],
      "preferred_username": [
        "username"
      ]
    },
    "client_id": "REDACTED",
    "client_secret": "REDACTED",
    "issuer": "https://www.example.com"
  },
  "type": "OpenIDIdentityProvider"
}

  2. Use the ocm CLI to apply it:

      $ ocm post /api/clusters_mgmt/v1/clusters/<CLUSTER_UUID>/identity_providers --body=openid.json

Root Cause

It's now possible to configure Group Claim in OSD and ROSA using the CLI.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments