Configure an OpenID Connect identity provider¶
OpenID Connect (OIDC) allows you to authenticate MKE users with a trusted external identity provider.
Note
Kubernetes users who want client bundles to use OIDC must Download and configure the client bundle and replace the authorization section therein with the parameters presented in the Kubernetes OIDC Authenticator documentation.
For identity providers that require a client redirect URI, use
https://<MKE_HOST>/login
. For identity providers that do not permit the use
of an IP address for the host, use https://<mke-cluster-domain>/login
.
The requested scopes for all identity providers are "openid email"
. Claims
are read solely from the ID token that your identity provider returns. MKE does
not use the UserInfo
URL to obtain user information. The default username
claim is sub
. To use a different username claim, you must specify that
value with the usernameClaim
setting in the MKE configuration file.
The following example details the MKE configuration file settings for using an external identity provider.
For the
*signInCriteria
array,term
is set to hosted domain ("hd"
) andvalue
is set to the domain from which the user is permitted to sign in.For the
*adminRoleCriteria
array,matchType
is set to"contains"
, in case any administrators are assigned to multiple roles that includeadmin
.
[auth.external_identity_provider]
wellKnownConfigUrl = "https://example.com/.well-known/openid-configuration"
clientId = "4dcdace6-4eb4-461d-892f-01aed344ac80"
clientSecret = "ed89aeddcdb4461ace640"
usernameClaim = "email"
caBundle = "----BEGIN CERTIFICATE----\nMIIF...UfTd\n----END CERTIFICATE----\n"
[[auth.external_identity_provider.signInCriteria]]
term = "hd"
value = "myorg.com"
matchType = "must"
[[auth.external_identity_provider.adminRoleCriteria]]
term = "roles"
value = "admin"
matchType = "contains"
Note
Using an external identity provider to sign in to the MKE web UI creates a new user session, and thus users who sign in this way will not be signed out when their ID token expires. Instead, the session lifetime is set using the auth.sessions parameters in the MKE configuration file.
Refer to the MKE configuration file auth.external_identity_provider (optional) for the complete reference documentation.