/
OIDC Setup on kloudfuse

OIDC Setup on kloudfuse

For setting up OIDC on Kloudfuse we can use this Doc for many of the basics.

Steps to pay attention to:

  1. Create Okta account.

    1. This should come with some default applications and API, you can use these for simplicity.

  2. Add your Cluster IP to the OKTA application

    1. inside your Okta account, under the tab Applications > Applications

    2. select your application name, such as default

    3. Look at your Client-ID and Client-Secrets and write them down for later.

    4. scroll down to Login section and add your cluster ip for the sign-in and sign-out redirect URLS

      1. Sign-In: https://<cluster-ip>/oauth2/callback

      2. Sign-Out: http://<cluster-ip>/oauth2/sign_out

  3. Client Secret: Take Client-ID and Client-Secret, and use an encoder (base64) for create kfuse-auth-okta secret

    1. create a file using the code block and fill in the client-secret, client-id, and cookie-secret. These values must be encoded to base64 for them to work. The cookie you can generate as mentioned in the directions, but id and secret at created in your okta profile.

    2. take this file, and apply to kfuse-auth-okta

  4. Create configmap specification

    1. in your Okta account, under Security > API, select your authorization server, this may also be default.

    2. This will give you a Issuer Okta URL (https:/trial-#.okta.com/oauth2/default

      1. write down this number trial-#

    3. In this section of the Doc you will want to create an additional file with the code block mentioned.

    4. Take your cluster IP and fill in the redirect_url

    5. Take the trial-# mentioned above and fill in the oidc_issuer_url

    6. apply this file as the kfuse-auth-okta config

  5. Create Access Policies

    1. In Security > API > (authorization server name) > Access Policies create a new policy, and assign to the correct clients (for testing you can select All Clients)

    2. Create a Rule in the Access Policy (again for testing you can set it to All)

  6. Charts Yaml:

    1. In your Charts yaml for your cluster, make sure to include this section.

    2. Upgrade your dev cluster and you should now be able to use OIDC

 

Troubleshooting

If you are running into 400 bad requests error when trying to sign in using SSO. double check that your secret, client id, and cookie secrets are encoded in base 64 and make sure they are correct. Make sure no spaces were added when encoding. When decoded using base64, they should match what you see in OKTA mentioned in step 3.

 

If you are seeing bad request 400 but the OKTA logs are showing sign in policy allow then it could be an issue with your Access Policy mentioned in step 5. Make sure what email you are trying to sign in is present in Okta’s Directory > People page. These are the people who will be allowed to any Access Policies.