openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
1ff87978a6c40ee820ccf36edb67060c25f78d59
openshift-docs/modules/rosa-govcloud-keycloak-identity-management.adoc
Frances_McDonald e66d062605 life cycle added id 
added spaces for life cycle dates

changes after peer review
2025-12-05 15:38:15 +00:00

38 lines
2.5 KiB
Plaintext
Raw Blame History

// Module included in the following assemblies:
// * rosa_govcloud/rosa-install-govcloud-cluster.adoc
//Andy Krohg said this is for SRE so to remove this module,
:_mod-docs-content-type: PROCEDURE
[id="rosa-govcloud-keycloak-identity-management_{context}"]
= Preparing to access {product-title} in AWS GovCloud using Keycloak
To access {product-title} in AWS GovCloud using Keycloak for identity management.
.Prerequisites
* You have configured your AWS CLI to use GovCloud.
* You are logged into your government region.
* You have the admin user details.
* *Customer Configuration Options (Schemas)*
Identify which of the three categories customers are based on their Identity Provider (IdP) setup, each corresponding to a specific YAML schema:
** *Customer with Configurable IdP:* For customers who use their own external IdP and can configure it to send a specific essential claim to automatically validate users with the following details:
*** *Discovery Endpoint:* The IdP's OIDC discovery URL (typically ending in _/.well-known/openid-configuration_). This allows Keycloak to automatically fetch most of the IdP's settings.
*** *Client ID & Secret:* Credentials that allow Keycloak to authenticate with the customer's IdP.
*** *Email Domain(s):* A list of approved email domains. Only users with an email address from one of these domains will be allowed to log in.
*** *Essential Claim:* A specific key-value pair (e.g., _"rh-approved": "true"_) that must be present in a user's token from the IdP to grant them access. This is a crucial mechanism for controlling access from the customer's side. This claim must be a custom one, not a standard OIDC claim.
** *Customer without IdP:* For customers who use the platform's Keycloak instance as their direct identity provider.
** *Customer with Unchangeable IdP:* For customers who use their own external IdP but cannot configure it to send the essential claim. These customers rely on manual user approval.
.Procedure
For any customer that has an IdP please use the following steps:
. Navigate to Keycloak Admin Console.
. Change to the redhat-external realm.
. Under _Configure_, select *Identity providers*.
. Click on the IdP of the customer whose configuration was just merged into _keycloak-interface_.
. Under _OIDC_, click *Settings*.
. Expand the *Advanced* section and update the _Scopes_ field to _openid profile email_.
This ensures that when a user first logs into Keycloak via the IdP, all the required information for that user is correctly imported.
View Git Blame Copy Permalink