Microsoft Entra ID group claims combine unexpectedly in OpenShift 4

Solution Verified - Updated -

Environment

  • Red Hat OpenShift Container Platform (RHOCP)
    • 4
  • Azure Red Hat OpenShift (ARO)
    • 4
  • Red Hat OpenShift Service on AWS (ROSA)
    • 4
  • Red Hat OpenShift Dedicated (OSD)
    • 4
  • Microsoft Entra ID (formerly Azure Active Directory) configured as an OpenID Connect (OIDC)

Issue

  • What is the correct endpoint to configure Microsoft Entra ID (formerly known as Azure Active Directory) as an OIDC in OpenShift 4?
  • Adding users using Entra ID configured as an OIDC create malformed group entries in OCP 4.

  • When configuring Entra ID with the OpenID Connect group claim attribute in the OAuth CustomResourceDefinition (CRD) all groups provided by the claim are unexpectedly combined together, instead of being added to multiple individual groups. This issue creates groups that appear like this:

    kind: Group
apiVersion: user.openshift.io/v1
metadata:
  name: >-
    ["xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx","yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy","zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz"]
  uid: b3ed0b40-ffd3-5r0c-fcas-3b780aa40b3f
  resourceVersion: '1234'
  creationTimestamp: '2022-07-27T18:20:48Z'
  annotations:
    oauth.openshift.io/generated: 'true'
    oauth.openshift.io/idp.Entra: synced   
users:
  - example@example.com

Resolution

Disclaimer: Links contained herein to external website(s) are provided for convenience only. Red Hat has not reviewed the links and is not responsible for the content or its availability. The inclusion of any link to an external website does not imply endorsement by Red Hat of the website or their entities, products or services. You agree that Red Hat is not responsible or liable for any loss or expenses that may result due to your use of (or reliance on) the external site or content.

Ensure that the issuer URL specified in the OAuth CustomResourceDefinition (CRD) for the openID field is set to the Microsoft Entra ID v2.0 endpoint. The v2.0 endpoint format is:

https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/v2.0

Where xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx is the Microsoft Entra ID application's tenant ID.

Root Cause

The Microsoft Entra ID v1.0 endpoint concatenates groups together in the response provided to OpenShift. The Microsoft Entra ID v2.0 endpoint does not do this.

Diagnostic Steps

Check the issuer URL specified in the OAuth:

$ oc get oauth cluster -o yaml
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
  name: cluster
spec:
  identityProviders:
  [...]
    openID:
    [...]
      issuer: https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/v2.0
    [...]

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments