openshift-docs/modules/understanding-idp.adoc

// Module included in the following assemblies:
//
// * rosa_getting_started/rosa-sts-config-identity-providers.adoc
// * rosa_getting_started/rosa_getting_started_iam/rosa-config-identity-providers.adoc
// * identity_providers/config-identity-providers.adoc

:_content-type: CONCEPT
[id="understanding-idp_{context}"]
= Understanding identity providers

{product-title} includes a built-in OAuth server. Developers and administrators obtain OAuth access tokens to authenticate themselves to the API. As an administrator, you can configure OAuth to specify an identity provider after you install your cluster. Configuring identity providers allows users to log in and access the cluster.

[id="understanding-idp-supported_{context}"]
== Supported identity providers

You can configure the following types of identity providers:

[cols="2a,8a",options="header"]
|===

|Identity provider
|Description

|GitHub or GitHub Enterprise
|Configure a GitHub identity provider to validate usernames and passwords against GitHub or GitHub Enterprise's OAuth authentication server.

|GitLab
|Configure a GitLab identity provider to use link:https://gitlab.com/[GitLab.com] or any other GitLab instance as an identity provider.

|Google
|Configure a Google identity provider using link:https://developers.google.com/identity/protocols/OpenIDConnect[Google's OpenID Connect integration].

|LDAP
|Configure an LDAP identity provider to validate usernames and passwords against an LDAPv3 server, using simple bind authentication.

|OpenID Connect
|Configure an OpenID Connect (OIDC) identity provider to integrate with an OIDC identity provider using an link:http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth[Authorization Code Flow].

|htpasswd
|Configure an htpasswd identity provider for a single, static administration user. You can log in to the cluster as the user to troubleshoot issues.

[IMPORTANT]
====
The htpasswd identity provider option is included only to enable the creation of a single, static administration user. htpasswd is not supported as a general-use identity provider for {product-title}. For the steps to configure the single user, see _Configuring an htpasswd identity provider_.
====

|===

[id="understanding-idp-parameters_{context}"]
== Identity provider parameters

The following parameters are common to all identity providers:

[cols="2a,8a",options="header"]
|===
|Parameter     | Description
|`name`      | The provider name is prefixed to provider user names to form an
identity name.

|`mappingMethod`  | Defines how new identities are mapped to users when they log in.
Enter one of the following values:

claim:: The default value. Provisions a user with the identity's preferred
user name. Fails if a user with that user name is already mapped to another
identity.
lookup:: Looks up an existing identity, user identity mapping, and user,
but does not automatically provision users or identities. This allows cluster
administrators to set up identities and users manually, or using an external
process. Using this method requires you to manually provision users.
generate:: Provisions a user with the identity's preferred user name. If a
user with the preferred user name is already mapped to an existing identity, a
unique user name is generated. For example, `myuser2`. This method should not be
used in combination with external processes that require exact matches between
{product-title} user names and identity provider user names, such as LDAP group
sync.
add:: Provisions a user with the identity's preferred user name. If a user
with that user name already exists, the identity is mapped to the existing user,
adding to any existing identity mappings for the user. Required when multiple
identity providers are configured that identify the same set of users and map to
the same user names.
|===

[NOTE]
====
When adding or changing identity providers, you can map identities from the new
provider to existing users by setting the `mappingMethod` parameter to
`add`.
====