Pinniped Documentation
Configure the Pinniped Supervisor to use Azure Active Directory as an OIDC provider
The Supervisor is an OpenID Connect (OIDC) issuer that supports connecting a single “upstream” identity provider to many “downstream” cluster clients.
This guide shows you how to configure the Supervisor so that users can authenticate to their Kubernetes cluster using their Azure Active Directory credentials.
Prerequisites
This how-to guide assumes that you have already installed the Pinniped Supervisor with working ingress, and that you have configured a FederationDomain to issue tokens for your downstream clusters.
Create an Azure AD Application
If you don’t already have an Azure subscription, create a free account. Next, create a new tenant in Azure Active Directory. This tenant represents your organization.
For example, to create a tenant:
- In the Azure portal, navigate to Home > Azure Active Directory.
- Create a new tenant:
- Click
Manage Tenants
. - Click
Create
. - Fill out your organization details.
- Click
- Optionally, just use the
Default Directory
that is already created. - Users can be added to the directory via the
Manage
>Users
link. - Create a new app:
- Click
App Registrations
. - Click
New Registration
. - Enter a
user-facing display name
. - Choose supported account types.
- Enter the
Redirect URI
. ChooseWeb
from the dropdown menu. The redirect uri will be thespec.issuer
you configured in yourFederationDomain
appended with/callback
. - Click
Register
.
- Click
Configure the Supervisor
Create an OIDCIdentityProvider in the same namespace as the Supervisor.
- In the Azure portal, navigate to Home > Azure Active Directory > App Registrations.
- Copy the
Application (client) ID)
for use in your OIDCIdentityProvider CR later.
- Copy the
- Select your application, and then click
Add a certificate or secret
.- Click
New client secret
, provide a name, an expiration time, and clickcreate
. - Copy the secret
Value
for use later with yourOIDCIdentityProvider
.
- Click
- Select your application, and then click
Endpoints
.- Under
Endpoints
, find theOpenID Connect Metadata Document
URL. - Perform a curl with this URL and find the issuer value (
curl https://<openid.connect.metadata.document.url> | jq ".issuer"
). - Copy the
issuer
value to use in yourOIDCIdentityProvider
.
- Under
For example, this OIDCIdentityProvider and corresponding Secret use Azure AD’s email
claim as the Kubernetes username:
apiVersion: idp.supervisor.pinniped.dev/v1alpha1
kind: OIDCIdentityProvider
metadata:
namespace: pinniped-supervisor
name: azuread
spec:
# Specify the upstream issuer URL (no trailing slash). Change this to be the
# actual issuer provided by your Azure AD account. This is most easily found
# by checking the Endpoints for your application and performing a curl against
# the OpenID Connect metadata document URL.
issuer: <issuer.from.OpenID.connect.metadata.document>
# Specify how to form authorization requests to your Azure AD application.
authorizationConfig:
# Request any scopes other than "openid" for claims besides
# the default claims in your token. The "openid" scope is always
# included.
#
# To learn more about how to customize the claims returned, see here:
# https://learn.microsoft.com/en-us/azure/active-directory/develop/custom-claims-provider-overview
additionalScopes: [offline_access, groups, email]
# If you would also like to allow your end users to authenticate using
# a password grant, then change this to true.
allowPasswordGrant: false
# Specify how Azure AD claims are mapped to Kubernetes identities.
claims:
# Specify the name of the claim in your Azure AD token that will be mapped
# to the "username" claim in downstream tokens minted by the Supervisor.
username: email
# Specify the name of the claim in Azure AD that represents the groups
# that the user belongs to. This matches what you specified above
# with the Groups claim filter.
groups: groups
# Specify the name of the Kubernetes Secret that contains your Azure AD
# application's client credentials (created below).
client:
secretName: azuread-client-credentials
---
apiVersion: v1
kind: Secret
metadata:
namespace: pinniped-supervisor
name: azuread-client-credentials
type: secrets.pinniped.dev/oidc-client
stringData:
# The "Client ID" for your Application
# Note that when you create a secret the secret itself will also receive an ID.
# The secret ID is not used. Use the Application Client ID.
clientID: "<your-client-id>"
# The "Client secret" that you created when you made a secret for your Azure AD Application.
clientSecret: "<your-client-secret>"
Note that the metadata.name
of the OIDCIdentityProvider resource may be visible to end users at login prompts
if you choose to enable allowPasswordGrant
, so choose a name which will be understood by your end users.
For example, if you work at Acme Corp, choose something like acme-corporate-azuread
over my-idp
.
Once your OIDCIdentityProvider has been created, you can validate your configuration by running:
kubectl describe OIDCIdentityProvider -n pinniped-supervisor azuread
Look at the status
field. If it was configured correctly, you should see phase: Ready
.
Next steps
Next, configure the Concierge to validate JWTs issued by the Supervisor! Then you’ll be able to log into those clusters as any of the users from the Azure AD directory.