Pinniped Documentation
Configure the Pinniped Supervisor to use Workspace ONE Access as an OIDC provider
The Supervisor is an OpenID Connect (OIDC) issuer that supports connecting “upstream” identity providers to many “downstream” cluster clients.
This guide shows you how to configure the Supervisor so that users can authenticate to their Kubernetes cluster using their Workspace ONE Access credentials.
Prerequisites
This how-to guide assumes that you have already installed the Pinniped Supervisor with working ingress, and that you have configured a FederationDomain to issue tokens for your downstream clusters.
Create an Workspace ONE Access Application
Follow the Workspace ONE documentation for adding an OIDC app, including the documentation for the detailed steps required.
For example, to create an app:
- In the Workspace ONE Access Console, navigate to Catalog > Web Apps.
- Create a new app:
- Click
New
. - Enter a name for your app, such as “My Kubernetes Clusters”.
- For
Authentication Type
, selectOpenID Connect
. - Enter the Target URL. This value is required but unused and may be set to the
spec.issuer
you configured in yourFederationDomain
. - Enter the Redirect URL. This is the
spec.issuer
you configured in yourFederationDomain
appended with/callback
. - Enter the Client ID to a value such as “pinniped-supervisor” (this cannot be changed later).
- Enter the Client Secret. This should be set to a secure value such as the output of
openssl rand -hex 32
. - Set both “Open in Workspace ONE Web” and “Show in User Portal” options to “No”
- Set the desired Access Policies for the app, such as requiring smart card login.
- Save and assign the app to the desired users and/or groups. This can be used to restrict which users can log in to Kubernetes using this integration.
- Click
- Configure the token TTLs and scopes. Navigate to Catalog > Settings > Remote App access and click on the “pinniped-supervisor” client.
- Edit the Client Configuration:
Issue Refresh Token
must be checked- Set
Access Token Time-To-Live (TTL)
to 5 minutes - Set
Refresh Token Time-To-Live (TTL)
to 9 hours (or shorter if you wish to require more frequent logins) - Set
Idle Token Time-to-Live (TTL)
to 9 hours (or shorter if you wish to enforce an inactivity timeout)
- Edit the Scope configuration:
OpenID
must be checked- Check
Email
if you plan to use email as the username claim - Check
Group
if you plan to use groups in your Kubernetes environment - Uncheck all other scopes
- Edit the Client Configuration:
Configure the Supervisor
Create an OIDCIdentityProvider in the same namespace as the Supervisor.
For example, this OIDCIdentityProvider and corresponding Secret use Workspace ONE Access’s email
claim as the Kubernetes username:
apiVersion: idp.supervisor.pinniped.dev/v1alpha1
kind: OIDCIdentityProvider
metadata:
namespace: pinniped-supervisor
name: ws1
spec:
# Specify the issuer URL (no trailing slash). Change this to be the
# actual issuer of your Workspace ONE Access environment. Note that
# the Workspace ONE Access issuer ends with the string "/SAAS/auth".
issuer: https://ws1.my-company.com/SAAS/auth
tls:
# Base64-encoded PEM CA bundle for connections to WS1 (optional).
# Alternatively, the CA bundle can be specified in a Secret or
# ConfigMap that will be dynamically watched by Pinniped for
# changes to the CA bundle (see API docs for details).
certificateAuthorityData: "LS0tLS1CRUdJTi[...]"
# Specify how to form authorization requests to Workspace ONE Access.
authorizationConfig:
# Request any scopes other than "openid" for claims besides
# the default claims in your token. The "openid" scope is always
# included.
#
# See the example claims below to learn how to customize the
# claims returned.
additionalScopes: [group, email]
# Specify how Workspace ONE Access claims are mapped to Kubernetes identities.
claims:
# Specify the name of the claim in your Workspace ONE Access token that
# will be mapped to the username in your Kubernetes environment.
#
# User's emails can change. Use the sub claim if your environment
# requires a stable identifier.
username: email
# Specify the name of the claim in Workspace ONE Access that represents
# the groups to which the user belongs.
#
# Group names may not be unique and can change. The group_ids claim is
# recommended for environments that want to use a more stable identifier.
groups: group_names
# Specify the name of the Kubernetes Secret that contains your
# Workspace ONE Access application's client credentials (created below).
client:
secretName: ws1-client-credentials
---
apiVersion: v1
kind: Secret
metadata:
namespace: pinniped-supervisor
name: ws1-client-credentials
type: secrets.pinniped.dev/oidc-client
stringData:
# The "Client ID" that you got from Workspace ONE Access.
clientID: "<your-client-id>"
# The "Client secret" that you got from Workspace ONE Access.
clientSecret: "<your-client-secret>"
The following claims are returned by Workspace ONE Access. The group
scope is required to use the
group_ids
and group_names
claims. The email
scope is required to use the email
claim. The
remaining claims are always available.
{
"acct": "my-username@System Domain",
"email": "my-email@my-company.com",
"email_verified": true,
"group_ids": [
"8cb8d875-4eb5-4d75-af7e-136efb439b6d",
"9eb9c163-0677-4fc6-b70f-b4e14600a097"
],
"group_names": [
"ALL USERS",
"Test Group"
],
"iss": "https://ws1.my-company.com/SAAS/auth",
"sub": "my-username@WS1-ENV-NAME"
}
Once your OIDCIdentityProvider has been created, you can validate your configuration by running:
kubectl describe OIDCIdentityProvider -n pinniped-supervisor ws1
Look at the status
field. If it was configured correctly, you should see phase: Ready
.
Next steps
Next, configure the Concierge to validate JWTs issued by the Supervisor! Then you’ll be able to log into those clusters as any of the users from Workspace ONE Access.