openshift-docs/modules/identity-provider-add.adoc

// Module included in the following assemblies:
//
// * authentication/identity_providers/configuring-allow-all-identity-provider.adoc
// * authentication/identity_providers/configuring-deny-all-identity-provider.adoc
// * authentication/identity_providers/configuring-htpasswd-identity-provider.adoc
// * authentication/identity_providers/configuring-keystone-identity-provider.adoc
// * authentication/identity_providers/configuring-ldap-identity-provider.adoc
// * authentication/identity_providers/configuring-basic-authentication-identity-provider.adoc
// * authentication/identity_providers/configuring-request-header-identity-provider.adoc
// * authentication/identity_providers/configuring-github-identity-provider.adoc
// * authentication/identity_providers/configuring-gitlab-identity-provider.adoc
// * authentication/identity_providers/configuring-google-identity-provider.adoc
// * authentication/identity_providers/configuring-oidc-identity-provider.adoc

// GitHub and Google IDPs do not support username/password login commands
ifeval::["{context}" == "configuring-github-identity-provider"]
:no-username-password-login:
endif::[]
ifeval::["{context}" == "configuring-google-identity-provider"]
:no-username-password-login:
endif::[]
// Only some OIDC IDPs support username/password login commands
ifeval::["{context}" == "configuring-oidc-identity-provider"]
:no-username-password-login:
:oidc:
endif::[]

:_mod-docs-content-type: PROCEDURE
[id="add-identity-provider_{context}"]
= Adding an identity provider to your cluster

After you install your cluster, add an identity provider to it so your
users can authenticate.

.Prerequisites

* Create an {product-title} cluster.
* Create the custom resource (CR) for your identity providers.
* You must be logged in as an administrator.

.Procedure

. Apply the defined CR:
+
[source,terminal]
----
$ oc apply -f </path/to/CR>
----
+
[NOTE]
====
If a CR does not exist, `oc apply` creates a new CR and might trigger the following warning: `Warning: oc apply should be used on resources created by either oc create --save-config or oc apply`. In this case you can safely ignore this warning.
====

ifndef::no-username-password-login[]
. Log in to the cluster as a user from your identity provider, entering the
password when prompted.
+
[source,terminal]
----
$ oc login -u <username>
----
endif::no-username-password-login[]

ifdef::no-username-password-login[]

. Obtain a token from the OAuth server.
+
As long as the `kubeadmin` user has been removed, the `oc login` command provides instructions on how to access a web page where you can retrieve the token.
+
You can also access this page from the web console by navigating to *(?) Help* -> *Command Line Tools* -> *Copy Login Command*.

. Log in to the cluster, passing in the token to authenticate.
+
[source,terminal]
----
$ oc login --token=<token>
----
+
[NOTE]
====
ifdef::oidc[]
If your OpenID Connect identity provider supports the resource owner password credentials (ROPC) grant flow, you can log in with a user name and password. You might need to take steps to enable the ROPC grant flow for your identity provider.

After the OIDC identity provider is configured in {product-title}, you can log in by using the following command, which prompts for your user name and password:

[source,terminal]
----
$ oc login -u <identity_provider_username> --server=<api_server_url_and_port>
----
endif::oidc[]

ifndef::oidc[]
This identity provider does not support logging in with a user name and password.
endif::oidc[]
====
endif::no-username-password-login[]

. Confirm that the user logged in successfully, and display the user name.
+
[source,terminal]
----
$ oc whoami
----

// Undefining attributes
ifeval::["{context}" == "configuring-google-identity-provider"]
:!no-username-password-login:
endif::[]
ifeval::["{context}" == "configuring-oidc-identity-provider"]
:!no-username-password-login:
:!oidc:
endif::[]
ifeval::["{context}" == "configuring-github-identity-provider"]
:!no-username-password-login:
endif::[]