Configuring CAS to connect to your Identity Provider (IDP)

An Identity Provider is a system or service that creates, maintains, and manages identity information for users and provides authentication services to applications or other systems. It acts as a trusted third party that authenticates users and shares their identity information with other services.

About this task

An IDP can be integrated with CAS to enhance security, access control, and compliance. It helps CAS by providing:
  • Secure Access: It ensures that only authorized users access sensitive content.
  • Single Sign-On (SSO): It enables you to log in once to access multiple systems.
  • Compliance: It helps meet regulatory requirements with audit trails and access controls.
  • User Management: It simplifies onboarding, offboarding, and role-based access.
Configure CAS with client ID and client secret
  • Client ID: It is the ID created in the IDP to allow CAS API access.
  • Client secret: It is the password that is associated with the client ID for secure access to IDP APIs.
To enable user and group validation through the Security Identity Manager (SIM) client, CAS uses the client ID and client secret to authenticate with the IDP.
To obtain the client ID and client secret, perform the following steps:
  1. Create and enable API access in your IDP.
  2. Configure CAS with the credentials that are provided by the IDP, as the client ID and client secret.

    CAS then uses this client ID and client secret to query the user and group APIs from the IDP.

To connect your IDP to the CAS deployment, perform the following steps:

Procedure

  1. Configure an IDP secret for CAS by creating a secret that is named idp-sec in CAS installation namespace with client_id and client_secret in Base64 format: 
    kind: Secret
apiVersion: v1
metadata:
  name: idp-sec
  namespace: ibm-cas
data:
  client_id: <client ID in base64 format>
  client_secret: <client secret in base64 format>
type: Opaque
  2. Create a CAS IdentityProvider CR to specify the custom configuration details of your IDP. Specify the following fields based on your IDP configurations:
    • email: It is the list of claims whose value must be used as the email address.
    • groups: It is the list of claims whose value must be used as groups.
    • name: It is the list of claims whose value must be used as name.
    • sub: It is the list of claims whose value must be used as subject.
    • issuer: It is the issuer URL of the external IDP. For example: https://keycloak-keycloak-automation.apps.com/auth/realms/master
    • groupUrl: It is the IDP URL for retrieving all groups. For example: https://keycloak-keycloak-automation.apps.com/auth/admin/realms/master/groups
    • userUrl: It is the IDP URL for retrieving all users. For example: https://keycloak-keycloak-automation.apps.com/auth/admin/realms/master/users
    apiVersion: cas.isf.ibm.com/v1beta1
kind: IdentityProvider
metadata:
  name: identityprovider-sample
  namespace: ibm-cas
spec:
  identityProvider:
    claims:
      email:
        - <email>
      groups:
        - <groups>
      name:
        - <preferred_username>
      sub:
        - <subject>
    issuer: <Issuer URL of IDP>
    mappingMethod: claim
    name: openid
    scimClient:
      clientSecretName: <OpenShift secret storing client_id and client_secret parameters of IDP client>
      groupUrl: <IDP URL to retrieve all groups>
      userUrl: <IDP URL to retrieve all users>
    type: OpenidProvider
  3. To enable file-level security, add the following claims of the external IDP in the claims section: 
    spec: 
  identityProvider: 
    claims: 
      groupID: 
        - gidNumber 
      supplementalGroups: 
        - supplementalGroups 
      userID:
        - uidNumber