Configuring OIDC with LDAP dependency

From foundational services 4.9, you can configure OIDC with one or multiple LDAP that allows the users and groups of the LDAP to login using OIDC authentication. You need to enable Use in conjunction with an existing ldap toggle option when you create a new LDAP connection.

Prerequisites

Procedure

You can configure OIDC with LDAP dependency using one of the following methods:

Configuring OIDC with LDAP dependency using console

  1. Log on to the cp-console as an administrator.

    To get the cp-console URL, username, password, complete the following steps:

    1. Log on to the console as an administrator.
    2. Go to Networking > Routes.
    3. Set the project to the namespace where you deployed the foundational services.
    4. Find the cp-console route and click the URL in the Location section.
    5. Log on to the cp-console with the username and password. To get the username and password, go to Workloads > Secrets and search for platform-auth-idp-credentials. You can copy the admin_username and admin_password from the Data section and log on to the cp-console.
  2. Click New Connection and Select OIDC as the protocol type. The New OIDC Connection page is displayed.

  3. Enable the Use in conjunction with an existing ldap toggle option. From the Specify LDAP Connection drop-down list, choose the existing LDAP to integrate.

  4. Enter the required values for the parameters in the Connection details, Token attribute mapping, and Site settings sections.

Table 1. Connection details parameters
Parameter Description
Name The name of the OIDC connection
Description (optional) Description of the OIDC connection
Table 2. Token attribute mapping parameters
Parameter Default Value Description
Sub sub The subject of the ID token. The default value for OIDC configuration is sub. You can manually override the default value based on your requirements.
Given name firstName The first name of the user.
Family name lastName The last name of the user.
Groups blueGroups The groups parameter is used to associate a Client session with a set of Authorization Roles.
Email emailAddress The email address of the user.
Unique security name (optional) uniqueSecurityName A unique security name is used to identify the subject.
Preferred username (optional) preferred_username The preferred username of the user
Display name (optional) displayName The display name of the user.
Table 3. Site settings parameters
Parameter Description
Well-known URI The URL includes the configuration information for the identity provider such as authorization endpoint, token endpoint, and other details that are required to interact with the identity provider.
Client ID The unique identifier that is assigned to your application to find your application when you request or refresh the access tokens.
Client secret The unique key to authenticate your application.

Note: JIT is enabled by default when you configure OIDC using console. If you enable the Use in conjunction with an existing ldap toggle option, the JIT is disabled.

  1. Click Create.