diff --git a/authentication/external-auth.adoc b/authentication/external-auth.adoc index 4c203b7a23..c5670de3b6 100644 --- a/authentication/external-auth.adoc +++ b/authentication/external-auth.adoc @@ -8,12 +8,12 @@ toc::[] While the built-in OpenShift OAuth server supports integration with a variety of identity providers, including external OpenID Connect (OIDC) identity providers, it is limited to the capabilities of the OAuth server itself. You can configure {product-title} to use an external OIDC identity provider directly to issue tokens for authentication, which replaces the built-in OpenShift OAuth server. -:FeatureName: Direct authentication with an OIDC identity provider -include::snippets/technology-preview.adoc[] - // About direct authentication with an external OIDC identity provider include::modules/external-auth-about.adoc[leveloffset=+1] +// Disabled OAuth resources +include::modules/external-auth-disabled-resources.adoc[leveloffset=+2] + // Direct authentication identity providers include::modules/external-auth-providers.adoc[leveloffset=+2] diff --git a/modules/external-auth-about.adoc b/modules/external-auth-about.adoc index 1a3e31bd54..13f6c2dfa6 100644 --- a/modules/external-auth-about.adoc +++ b/modules/external-auth-about.adoc @@ -6,6 +6,7 @@ [id="external-auth-about_{context}"] = About direct authentication with an external OIDC identity provider +[role="_abstract"] You can enable direct integration with an external OpenID Connect (OIDC) identity provider to issue tokens for authentication. This bypasses the built-in OAuth server and uses the external identity provider directly. By integrating directly with an external OIDC provider, you can leverage the advanced capabilities of your preferred OIDC provider instead of being limited by the capabilities of the built-in OAuth server. Your organization can manage users and groups from a single interface, while also streamlining authentication across multiple clusters and in hybrid environments. You can also integrate with existing tools and solutions. diff --git a/modules/external-auth-configuring.adoc b/modules/external-auth-configuring.adoc index 9df685d4e3..63a9b85569 100644 --- a/modules/external-auth-configuring.adoc +++ b/modules/external-auth-configuring.adoc @@ -8,12 +8,8 @@ You can configure {product-title} to directly use an external OIDC identity provider to issue tokens for authentication. -:FeatureName: Direct authentication with an OIDC identity provider -include::snippets/technology-preview.adoc[] - .Prerequisites -* You have enabled the `TechPreviewNoUpgrade` feature set. * You have configured your external authentication provider. + This procedure uses Keycloak as the identity provider and assumes that you have the following clients configured: diff --git a/modules/external-auth-disabled-resources.adoc b/modules/external-auth-disabled-resources.adoc new file mode 100644 index 0000000000..b5bc94bbc5 --- /dev/null +++ b/modules/external-auth-disabled-resources.adoc @@ -0,0 +1,22 @@ +// Module included in the following assemblies: +// +// * authentication/external-auth.adoc + +:_mod-docs-content-type: CONCEPT +[id="external-auth-disabled-resources_{context}"] += Disabled OAuth resources + +[role="_abstract"] +When you enable direct authentication, several OAuth resources are intentionally removed. + +[IMPORTANT] +==== +Ensure that you do not rely on these removed resources before configuring direct authentication. +==== + +The following resources are unavailable when direct authentication is configured: + +* OpenShift OAuth server and OpenShift OAuth API server +* User and group APIs (`*.user.openshift.io`) +* OAuth APIs (`*.oauth.openshift.io`) +* OAuth server and client configurations diff --git a/modules/external-auth-providers.adoc b/modules/external-auth-providers.adoc index 85b7925f0f..326d0cf6b2 100644 --- a/modules/external-auth-providers.adoc +++ b/modules/external-auth-providers.adoc @@ -8,8 +8,14 @@ Direct authentication has been tested with the following OpenID Connect (OIDC) identity providers: +* Active Directory Federation Services for Windows Server +* GitLab +* Google * Keycloak * Microsoft Entra ID +* Okta +* Ping Identity +* Red Hat Single Sign-On [NOTE] ====