PhenixID

Step by Step – Redhat Openshift MFA and SSO with PhenixID Authentication Services

Summary

This document will guide you through the steps to enable multi-factor authentication and Single-Sign On for the open source container application platform Openshift (https://www.openshift.com/) using OpenID Connect.

System Requirements

  • PhenixID Authentication Server 4.0 or higher
  • Openshift administration rights

Instruction

Overview

This document will guide you through the steps to enable multi-factor authentication and Single-Sign on for Red Hat Openshift.

PhenixID Authentication Services acting as OpenID Connect Provider

  1. Login to Configuration Manager.
  2. Scenarios->OIDC
  3. Add a new relying party:
    – client_id = openshift
    – client_password = <create a password and set>
    – Allowed redirect uri:s = <ask the OpenShift admin which value to use>
  4. Create a new OpenID Connect provider by selecting the desired authentication method. Follow the scenario guidelines for values.
    Use the Authorization Code Flow.
    Allow openshift as an allowed RP to use the OP.
  5. Once done, click Execution flow
  6. Expand token endpoint
  7. Expand GenerateJwtTokenVavle
  8. On the token attributes part, add a new name-value pair:
    name = name
    value = {{session.givenName}} {{session.sn}} 
  9. Save changes.
  10. Click Add valve
  11. Select PropertyAddValve
  12. Enter name = token_type and value = Bearer. Make sure the valve is placed last in the execution flow.
  13. Save the changes
  14. Click on the OpenID Connect Provider and then General
  15. Click View OP Discovery
  16. Copy the OP discovery URL and send it, together with client_id and client_secret, to the OpenShift administrator

Configure OpenShift

  1. Login, as an administrator, to OpenShift
  2. Follow this guide to add a new authentication provider: https://docs.openshift.com/container-platform/4.6/authentication/identity_providers/configuring-oidc-identity-provider.html#identity-provider-oidc-CR_configuring-oidc-identity-provider
  3. Set these values for the new provider: identityProviders:

    – mappingMethod: claim

    name: PhenixID

    openID:

    claims:

    email:

    – email

    name:

    – name

    preferredUsername:

    – sub

    clientID: openshift

    clientSecret:

    name: openid-secret

    issuer: ‘REPLACE_WITH_THE_OP_ISSUER_VALUE’

    type: OpenID

    Replace REPLACE_WITH_THE_OP_ISSUER_VALUE with the correct issuer value which can be found at the OIDC OP Discovery. Set clientID and clientSecret to the values distributed from the PhenixID Authentication Services administrator.

  4. Save the config. Restart if needed.

Test

  1. Browse to OpenShift
  2. Click on PhenixID for authentication
  3. Your browser should be redirected to PhenixID Authentication Services for authentication.
  4. Authenticate
  5. You should now be redirected back to OpenShift.
  6. You should now be logged in to OpenShift.
DISCLAIMER
Information provided in this document is for your information only. PhenixID makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners.

The origin of this information may be internal or external to PhenixID. PhenixID makes all reasonable efforts to verify this information.

PhenixID - support.phenixid.se