azure sso

redhat/ocp4/4.16/2024.12.azure.sso.without.group.sync.md

@@ -95,24 +95,71 @@ We also create some groups and add some users to the groups.
 
 ![](imgs/2024.12.azure.sso.md/2024-12-19-22-14-23.png)
 
-# openshift sso setting
+To sync the group information, we need to add groups to the `app registration` in Azure portal.
+
+Reference:
+- https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/assign-user-or-group-access-portal?pivots=portal
+- https://cloud.redhat.com/experts/idp/entra-id-with-group-names/
+
+Go to `Enterprise applications`
+
+![](imgs/2024.12.azure.sso.without.group.sync.md/2024-12-20-22-17-05.png)
+
+Select the `app registration` we created before.
+
+![](imgs/2024.12.azure.sso.without.group.sync.md/2024-12-20-22-17-31.png)
 
-Go to openshift web console, go to `Administration` -> `Cluster Settings` -> `Configuration`, search for `oauth`.
+Select `Users and groups` -> `Add user/group`
 
-![](imgs/2024.12.azure.sso.md/2024-12-19-14-30-41.png)
+![](imgs/2024.12.azure.sso.without.group.sync.md/2024-12-20-22-18-00.png)
 
-In the `oauth` page, click `Add` to add a new `OpenID Connect`.
+Select the groups you want to sync. Here you may need to active `azure entra` subscription. A free trail is available for 30 days and 25 users.
 
-![](imgs/2024.12.azure.sso.md/2024-12-19-14-31-16.png)
+![](imgs/2024.12.azure.sso.without.group.sync.md/2024-12-20-22-18-37.png)
 
-Input the `name` `client id` `client secret` `endpoint`  in the openshift sso page. 
+Then, go to `app registration` -> `manifest`, backup existed manifest, and make some changes.
 
 > [!NOTE]
-> The `name` must be the name of the `app registration` in Azure portal.
+> remember to backup the manifest before you make any changes.
 
-- https://learn.microsoft.com/en-us/azure/openshift/configure-azure-ad-ui
+![](imgs/2024.12.azure.sso.without.group.sync.md/2024-12-20-22-19-48.png)
+
+
+change value of "groupMembershipClaims" to "ApplicationGroup", the result look like:
+```json
+"groupMembershipClaims": "ApplicationGroup",
+```
+
+change "optionalClaims" -> "idToken" -> "name": "groups" -> "additionalProperties" to
+```json
+"additionalProperties": [
+  "sam_account_name",
+  "cloud_displayname"
+],
+```
+The result look like:
+```json
+	"optionalClaims": {
+		......
+		"idToken": [
+      .......
+			{
+				"additionalProperties": [
+					"sam_account_name",
+					"cloud_displayname"
+				],
+				"essential": false,
+				"name": "groups",
+				"source": null
+			}
+		],
+```
 
-<!-- ![](imgs/2024.12.azure.sso.md/2024-12-19-15-37-55.png) -->
+Save the manifest changes. Now you finished the azure portal setting.
+
+# openshift sso setting
+
+We will create a `oauth` object in openshift to integrate with Azure SSO. Here is an example, we add 2 identity providers, `htpasswd` and `azure-ocp-sso`. The `htpasswd` is for local user, and `azure-ocp-sso` is for Azure SSO. You can change it based on your requirement, for example, remove `htpasswd` if you don't need it.
 
 ```bash
 # import the secret from the client secret var
@@ -123,6 +170,12 @@ oc create secret generic openid-client-secret-azure \
 cat << EOF > ${BASE_DIR}/data/install/oauth.yaml
 spec:
   identityProviders:
+  - name: htpasswd
+    mappingMethod: claim 
+    type: HTPasswd
+    htpasswd:
+      fileData:
+        name: htpass-secret
   - mappingMethod: claim
     name: azure-ocp-sso
     openID:
@@ -153,7 +206,8 @@ If you make something wrong, and want to change the config, you can edit the `oa
 oc edit oauth/cluster
 ```
 
-If you want to remove a user:
+If you want to remove a user, remember to delete the user and identity in openshift.
+
 ```bash
 oc delete user <username>
 
@@ -400,37 +454,27 @@ Login with `l1.u01` user's `user principal name` and password. You can see the w
 
 ![](imgs/2024.12.azure.sso.md/2024-12-19-21-48-51.png)
 
-If you try to login as `ret.u01` user, which is in `RetalixSupport` group, you can see the web console.
+<!-- If you try to login as `ret.u01` user, which is in `RetalixSupport` group, you can see the web console.
 
-![](imgs/2024.12.azure.sso.md/2024-12-19-22-12-30.png)
+![](imgs/2024.12.azure.sso.md/2024-12-19-22-12-30.png) -->
 
 After user login, you can see the user in the `User` page from an administrator account.
 
-![](imgs/2024.12.azure.sso.md/2024-12-19-22-25-25.png)
-
-You can see group synced.
+<!-- ![](imgs/2024.12.azure.sso.md/2024-12-19-22-25-25.png) -->
 
-![](imgs/2024.12.azure.sso.md/2024-12-19-22-25-59.png)
+![](imgs/2024.12.azure.sso.without.group.sync.md/2024-12-20-22-12-41.png)
 
-And user belongs to the group also synced.
+You can see 2 groups synced, which is l1.u01 belongs to.
 
-![](imgs/2024.12.azure.sso.md/2024-12-19-22-26-30.png)
+<!-- ![](imgs/2024.12.azure.sso.md/2024-12-19-22-25-59.png) -->
 
-# without group sync
+![](imgs/2024.12.azure.sso.without.group.sync.md/2024-12-20-22-13-24.png)
 
+<!-- And user belongs to the group also synced.
 
+![](imgs/2024.12.azure.sso.md/2024-12-19-22-26-30.png) -->
 
 # end
 
-- https://cloud.redhat.com/experts/idp/entra-id-with-group-names/
-
-- https://vmware.fqdn.nl/2023/05/10/openshift-oauth-with-azure-idp/
-
-```bash
-oc get pod -n openshift-authentication
-
-oc logs -n openshift-authentication oauth-openshift-7dcdcb7c74-fvtdr 
-
-```
 
 # debug