// Module included in the following assemblies: // // * osd_install_access_delete_cluster/config-identity-providers.adoc // * rosa_install_access_delete_clusters/rosa-sts-config-identity-providers.adoc :_mod-docs-content-type: PROCEDURE [id="config-github-idp_{context}"] = Configuring a GitHub identity provider Configure a GitHub identity provider to validate user names and passwords against GitHub or GitHub Enterprise’s OAuth authentication server and access your {product-title} cluster. OAuth facilitates a token exchange flow between {product-title} and GitHub or GitHub Enterprise. [WARNING] ==== Configuring GitHub authentication allows users to log in to {product-title} with their GitHub credentials. To prevent anyone with any GitHub user ID from logging in to your {product-title} cluster, you must restrict access to only those in specific GitHub organizations or teams. ==== .Prerequisites * The OAuth application must be created directly within the GitHub link:https://docs.github.com/en/github/setting-up-and-managing-organizations-and-teams/managing-organization-settings[organization settings] by the GitHub organization administrator. * link:https://docs.github.com/en/github/setting-up-and-managing-organizations-and-teams[GitHub organizations or teams] are set up in your GitHub account. .Procedure . From {cluster-manager-url}, navigate to the *Cluster List* page and select the cluster that you need to configure identity providers for. . Click the *Access control* tab. . Click *Add identity provider*. + [NOTE] ==== You can also click the *Add Oauth configuration* link in the warning message displayed after cluster creation to configure your identity providers. ==== . Select *GitHub* from the drop-down menu. . Enter a unique name for the identity provider. This name cannot be changed later. ** An *OAuth callback URL* is automatically generated in the provided field. You will use this to register the GitHub application. + ---- https://oauth-openshift.apps../oauth2callback/ ---- + For example: + ifndef::openshift-rosa-hcp[] ---- https://oauth-openshift.apps.openshift-cluster.example.com/oauth2callback/github ---- endif::openshift-rosa-hcp[] ifdef::openshift-rosa-hcp[] ---- https://oauth../oauth2callback/ ---- endif::openshift-rosa-hcp[] . link:https://docs.github.com/en/developers/apps/creating-an-oauth-app[Register an application on GitHub]. . Return to {product-title} and select a mapping method from the drop-down menu. *Claim* is recommended in most cases. . Enter the *Client ID* and *Client secret* provided by GitHub. . Enter a *hostname*. A hostname must be entered when using a hosted instance of GitHub Enterprise. . Optional: You can use a certificate authority (CA) file to validate server certificates for the configured GitHub Enterprise URL. Click *Browse* to locate and attach a *CA file* to the identity provider. . Select *Use organizations* or *Use teams* to restrict access to a particular GitHub organization or a GitHub team. . Enter the name of the organization or team you would like to restrict access to. Click *Add more* to specify multiple organizations or teams that users can be a member of. . Click *Confirm*. .Verification * The configured identity provider is now visible on the *Access control* tab of the *Cluster List* page.