Configuring OIDC with LDAP dependency
From foundational services 4.9, you can configure OIDC with one or multiple LDAP that allows the users and groups of the LDAP to login using OIDC authentication. You need to enable Use in conjunction with an existing ldap toggle option when you create a new LDAP connection.
Prerequisites
-
To configure OIDC with LDAP dependency, the user registry for OIDC must be the same as LDAP.
-
Configure the LDAP connection in your cluster. For more information, see Configuring LDAP connection.
-
Configure the OIDC in your cluster. For more information, see Configuring single sign-on using OpenID Connect.
Procedure
You can configure OIDC with LDAP dependency using one of the following methods:
- Configuring OIDC with LDAP dependency using console
- Configuring OIDC with LDAP dependency using IdP v3 API
Configuring OIDC with LDAP dependency using console
-
Log on to the
cp-console
as an administrator.To get the
cp-console
URL, username, password, complete the following steps:- Log on to the console as an administrator.
- Go to Networking > Routes.
- Set the project to the namespace where you deployed the foundational services.
- Find the cp-console route and click the URL in the Location section.
- Log on to the
cp-console
with the username and password. To get the username and password, go to Workloads > Secrets and search forplatform-auth-idp-credentials
. You can copy theadmin_username
andadmin_password
from theData
section and log on to thecp-console
.
-
Click New Connection and Select OIDC as the protocol type. The New OIDC Connection page is displayed.
-
Enable the Use in conjunction with an existing ldap toggle option. From the Specify LDAP Connection drop-down list, choose the existing LDAP to integrate.
-
Enter the required values for the parameters in the
Connection details
,Token attribute mapping
, andSite settings
sections.
Parameter | Description |
---|---|
Name | The name of the OIDC connection |
Description (optional) | Description of the OIDC connection |
Parameter | Default Value | Description |
---|---|---|
Sub | sub | The subject of the ID token. The default value for OIDC configuration is sub . You can manually override the default value based on your requirements. |
Given name | firstName | The first name of the user. |
Family name | lastName | The last name of the user. |
Groups | blueGroups | The groups parameter is used to associate a Client session with a set of Authorization Roles. |
emailAddress | The email address of the user. | |
Unique security name (optional) | uniqueSecurityName | A unique security name is used to identify the subject. |
Preferred username (optional) | preferred_username | The preferred username of the user |
Display name (optional) | displayName | The display name of the user. |
Parameter | Description |
---|---|
Well-known URI | The URL includes the configuration information for the identity provider such as authorization endpoint, token endpoint, and other details that are required to interact with the identity provider. |
Client ID | The unique identifier that is assigned to your application to find your application when you request or refresh the access tokens. |
Client secret | The unique key to authenticate your application. |
Note: JIT is enabled by default when you configure OIDC using console. If you enable the Use in conjunction with an existing ldap
toggle option, the JIT is disabled.
- Click Create.