Configure an OpenID Connect identity provider¶
OpenID Connect (OIDC) allows you to authenticate MKE users with a trusted external identity provider.
Kubernetes users who want client bundles to use OIDC must Download and configure the client bundle and replace the authorization section therein with the parameters presented in the Kubernetes OIDC Authenticator documentation.
For identity providers that require a client redirect URI, use
https://<MKE_HOST>/login. For identity providers that do not permit the use
of an IP address for the host, use
The requested scopes for all identity providers are
"openid email". Claims
are read solely from the ID token that your identity provider returns. MKE does
not use the
UserInfo URL to obtain user information. The default username
sub. To use a different username claim, you must specify that
value with the
usernameClaim setting in the MKE configuration file.
The following example details the MKE configuration file settings for using an external identity provider.
termis set to hosted domain (
valueis set to the domain from which the user is permitted to sign in.
matchTypeis set to
"contains", in case any administrators are assigned to multiple roles that include
[auth.external_identity_provider] wellKnownConfigUrl = "https://example.com/.well-known/openid-configuration" clientId = "4dcdace6-4eb4-461d-892f-01aed344ac80" clientSecret = "ed89aeddcdb4461ace640" usernameClaim = "email" caBundle = "----BEGIN CERTIFICATE----\nMIIF...UfTd\n----END CERTIFICATE----\n" [[auth.external_identity_provider.signInCriteria]] term = "hd" value = "myorg.com" matchType = "must" [[auth.external_identity_provider.adminRoleCriteria]] term = "roles" value = "admin" matchType = "contains"
Using an external identity provider to sign in to the MKE web UI creates a new user session, and thus users who sign in this way will not be signed out when their ID token expires. Instead, the session lifetime is set using the auth.sessions parameters in the MKE configuration file.
Refer to the MKE configuration file auth.external_identity_provider (optional) for the complete reference documentation.