Skip to main content

OpenID Connect

  1. Create vCluster Platform Config For OIDC

    vCluster Platform is able to use an OIDC provider as an authentication source.

    To tell vCluster Platform to use OIDC for SSO, navigate to Admin > Config in vCluster Platform and adjust your config as shown below:

    auth:
      # Tell vCluster Platform to allow OIDC for authentication
      oidc:
        #
        #
        # REQUIRED CONFIGURATION
        #
        #
        # IssuerURL is the URL the provider signs ID Tokens as.
        # If using Keycloak provide the realm as well, only providing the base URL will return a 404. Ex. https://your-keycloak/realms/YOUR-REALM
        issuerUrl: https://accounts.google.com
        # ClientID the JWT must be issued for, the "sub" field. Can be string literal or pulled from the environment.
        clientId: $CLIENTID
        # ClientSecret to issue tokens from the OIDC provider. Can be string literal or pulled from the environment.
        clientSecret: $CLIENTSECRET
        # Callback URL in the form of https://your-loft-domain/auth/oidc/callback
        redirectURI: https://vcluster-platform.my.domain/auth/oidc/callback
        #
        #
        # OPTIONAL CONFIGURATION
        #
        #
        # (Optional) Path to a PEM encoded root certificate of the provider.
        caFile: /tmp/ca-file.crt
        # (Optional) Specify whether to communicate without validating SSL certificates
        insecureCa: false
        # (Optional) UsernameClaim is the JWT field to use as the user's username.
        # If not set defaults to email.
        usernameClaim: email
        # (Optional) If specified, causes claims mapping to username to be prefix with
        # the provided value.
        usernamePrefix: my-prefix-
        # (Optional) If specified, causes the OIDCAuthenticator to try to populate the user's
        # groups with an ID Token field.
        groupsClaim: groups
        # (Optional) If specified, causes claims mapping to group names to be prefixed with the
        # value.
        groupsPrefix: group-prefix-
        # (Optional) If groups is non empty, access is denied if the user is not part of at least one
        # of the specified groups. This requires groupsClaim to be set!
        groups: ["my-oidc-group"]
        # (Optional) If specified, tells the OIDCAuthenticator to try to populate the user's
        # information from the UserInfo. This might be necessary for slim tokens such as used
        # by Okta
        getUserInfo: false
        # (Optional) Scopes that should be sent to the server. If empty, defaults to "email" and "profile".
        scopes: ["profile", "email"]
        # (Optional) EmailClaim is the JWT field to use as the user's email.
        emailClaim: "email"
        # (Optional) vCluster PlatformUsernameClaim is the JWT field to use as the user's ID (Kubernetes name) and username
        loftUsernameClaim: "name"
        # (Optional) PreferredUsername is the JWT field to use as the user's display name
        preferredUsername: "preferred_username"

  2. Authenticate via OIDC

    After saving the new vCluster Platform configuration, vCluster Platform will restart itself and you should be able to log in via your OIDC provider.

  3. Disable Username + Password Authentication (optional)

    To disable password-based authentication, navigate to Admin > Config add these two lines to your config:

    auth:
      oidc: ...             # This is your SSO configuration (make sure this is working!)
      password:
        disabled: true      # Disable password-based authentication