Configuring provisioning for Red Hat OpenShift

Use this task to provision users from Verify to a Red Hat OpenShift application.

Before you begin

You need the following prerequisites.
  • A Red Hat OpenShift Instance URL and token.
  • A Red Hat OpenShift user with a cluster-admin role.
  • A Red Hat OpenShift REST API server that is running on port 443.
  • A Red Hat OpenShift server with a CA signed certificate that is installed.

About this task

Provisioning provides the following features.
Create new users
New users that are created through Verify are also created in the Red Hat OpenShift application.
Delete users
Deactivating the user or disabling the user's access to the application through Verify deletes the user in the Red Hat OpenShift application.
Modify user profile
Updates made to the user's profile through Verify are pushed to the Red Hat OpenShift application.
User suspend and restore
User suspend and restore is not supported in Red Hat OpenShift applications.
User synchronization and remediation
The Red Hat OpenShift application supports user synchronization, remediation, and group synchronization features.

User synchronization fetches all the target application users in Verify and matches the fetched users with users in Verify. The adoption policy that is defined on the application specifies the matching attributes for adoption of the reconciled users.

Remediation policy can be configured to remediate user accounts with attribute values that differ between Verify and the target application. Verify supports the following three remediation policies.
  • NONE - Do not remediate non-compliant accounts automatically.
  • ON_SV - Update Verify account attribute values with the target application values.
  • ON_TARGET - Update target application account attribute values with Verify values.

Group synchronization fetches all the target application groups in Verify.

Fine grained entitlement
Fine grained entitlement is supported for the Red Hat OpenShift application. Synchronization fetches all of the Red Hat OpenShift application groups. Users can be added to or removed from groups.

Procedure

  1. Log in as an administrator to your Red Hat OpenShift account.
  2. You need the following parameters to configure user provisioning in Verify.
    Instance URL
    The instance URL name of the Red Hat OpenShift instance. For example,
    https://<instance host name>:<port>
    Token
    Use the following steps to generate an access token for a service account with minimum access:
    1. Create a new service account.
      oc create sa <service_account_name>
    2. Create a cluster role for users and assign rolebinding to the service account.
      oc create clusterrole manage-users --verb=create,delete,get,list,patch,update --
      resource=users.user.openshift.io
      
      oc create clusterrolebinding manage-users --clusterrole=manage-users --
      serviceaccount=<namespace>:<service_account_name>
    3. Create a cluster role for groups and assign rolebinding to the service account.
      oc create clusterrole manage-groups --verb=get,list,update --resource=groups.user.openshift.io
      
      oc create clusterrolebinding manage-groups --clusterrole=manage-groups --
      serviceaccount=<namespace>:<service_account_name>
    4. Run the following command to generate the access token of your service account:
      oc serviceaccounts get-token <serviceaccount_name>