openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-07 09:46:53 +01:00
Code Issues Releases Activity
Files
b861fb8d1fe02da170cbb977e5f74d9d1d76384c
openshift-docs/modules/identity-provider-about-request-header.adoc
Kathryn Alexander 90d985a0bb [enterprise-4.14] changing content type attribute
2023-10-30 10:13:25 -04:00

71 lines
3.0 KiB
Plaintext
Raw Blame History

// Module included in the following assemblies:
//
// * authentication/identity_providers/configuring-request-header-identity-provider.adoc
:_mod-docs-content-type: CONCEPT
[id="identity-provider-about-request-header_{context}"]
= About request header authentication
A request header identity provider identifies users from request
header values, such as `X-Remote-User`. It is typically used in combination with
an authenticating proxy, which sets the request header value. The
request header identity provider cannot be combined with other identity providers
that use direct password logins, such as htpasswd, Keystone, LDAP or basic authentication.
[NOTE]
====
You can also use the request header identity provider for advanced configurations
such as the community-supported link:https://github.com/openshift/request-header-saml-service-provider[SAML authentication].
Note that this solution is not supported by Red Hat.
====
For users to authenticate using this identity provider, they must access
`https://_<namespace_route>_/oauth/authorize` (and subpaths) via an authenticating proxy.
To accomplish this, configure the OAuth server to redirect unauthenticated
requests for OAuth tokens to the proxy endpoint that proxies to
`https://_<namespace_route>_/oauth/authorize`.
To redirect unauthenticated requests from clients expecting browser-based login flows:
* Set the `provider.loginURL` parameter to the authenticating proxy URL that
will authenticate interactive clients and then proxy the request to
`https://_<namespace_route>_/oauth/authorize`.
To redirect unauthenticated requests from clients expecting `WWW-Authenticate` challenges:
* Set the `provider.challengeURL` parameter to the authenticating proxy URL that
will authenticate clients expecting `WWW-Authenticate` challenges and then proxy
the request to `https://_<namespace_route>_/oauth/authorize`.
The `provider.challengeURL` and `provider.loginURL` parameters can include
the following tokens in the query portion of the URL:
* `${url}` is replaced with the current URL, escaped to be safe in a query parameter.
+
For example: [x-]`https://www.example.com/sso-login?then=${url}`
* `${query}` is replaced with the current query string, unescaped.
+
For example: [x-]`https://www.example.com/auth-proxy/oauth/authorize?${query}`
[IMPORTANT]
====
As of {product-title} 4.1, your proxy must support mutual TLS.
====
[id="sspi-windows_{context}"]
== SSPI connection support on Microsoft Windows
ifdef::openshift-enterprise,openshift-webscale[]
:FeatureName: Using SSPI connection support on Microsoft Windows
include::snippets/technology-preview.adoc[leveloffset=+1]
endif::[]
The OpenShift CLI (`oc`) supports the Security Support Provider Interface (SSPI) to allow for SSO
flows on Microsft Windows. If you use the request header identity provider with a
GSSAPI-enabled proxy to connect an Active Directory server to {product-title},
users can automatically authenticate to {product-title} by using the `oc` command
line interface from a domain-joined Microsoft Windows computer.
View Git Blame Copy Permalink