ManageIQ
-
|
We started using Manage IQ with VMWare appliance and AD login for authentication, but we are switching to OIDC via Keycloak and Kubernetes pods. When users authenticate with OIDC, a new account is created, but the same UPN is passed in username claim. When you inspect the new user, the short name appears and not the UPN: Example: user01 shows instead of [email protected]. Ultimately, we just want to synchronize with existing users, and ownership lists if possible. We had to set GssapiLocalName to OFF in the manageiq-external-auth file to avoid the short name when using Kerberos. Is there a similar parameter for OIDC auth I can set in the configmap to not use local/short names for username and use the UPN instead? Httpd pod logs shows: oidc_util_hdr_table_set: OIDC_CLAIM_preferred_username: [email protected] Any help appreciated! |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
We found our fix! After tracing the debug logs to /opt/manageiq/manageiq-gemset/gems/httpclient-2.8.3/lib/httpclient/auth.rb, we realized there was no domain claim passing to httpd pod. Logins for /ui/service was working, but logins for FQDN was duplicating as local. We updated the Identity Provider to properly pass the domain claim and it now syncs to the existing accounts. |
Beta Was this translation helpful? Give feedback.
We found our fix! After tracing the debug logs to /opt/manageiq/manageiq-gemset/gems/httpclient-2.8.3/lib/httpclient/auth.rb, we realized there was no domain claim passing to httpd pod. Logins for /ui/service was working, but logins for FQDN was duplicating as local. We updated the Identity Provider to properly pass the domain claim and it now syncs to the existing accounts.