Share via

Configure Microsoft Entra authentication for an Azure Red Hat OpenShift cluster using Azure portal

In this article, you use Azure portal to set up Microsoft Entra authentication for an Azure Red Hat OpenShift cluster. You create variables that are used in commands that create an OAuth callback URL, create an application registration and client secret, and sign in to the cluster's web console using the Microsoft Entra authentication.

Prerequisites

  • An existing Azure Red Hat OpenShift cluster. If you don't have a cluster, see create a new cluster.
  • Azure CLI 2.30.0 or later installed on your computer. Use az --version to find the installed version of Azure CLI. If you need to install or upgrade, see Install Azure CLI. You can also use Azure Cloud Shell with Bash to run commands.

Create variables

Set the variables for resource group and cluster name. Replace <resourceGroupName> with your resource group's name and <aroClusterName> with your cluster's name.

resourceGroup=<resourceGroupName>
aroCluster=<aroClusterName>

Create the cluster's OAuth callback URL and make note of it because you use it later. The entraID section in the OAuth callback URL must match the OAuth identity provider name you set up later.

domain=$(az aro show --resource-group $resourceGroup --name $aroCluster --query clusterProfile.domain --output tsv)
location=$(az aro show --resource-group $resourceGroup --name $aroCluster --query location --output tsv)
echo "OAuth callback URL: https://oauth-openshift.apps.$domain.$location.aroapp.io/oauth2callback/entraID"

Create a Microsoft Entra application for authentication

  1. Sign in to the Azure portal.

  2. Use the search field to find Microsoft Entra ID and select it from the list.

  3. Select App registrations > New registration.

  4. Complete the Register an application form.

    • Name: Enter an application name, for this example aro-entraid-auth.
    • Supported account types: Select Accounts in this organizational directory only.
    • Redirect URI: Select Web and enter your OAuth callback URL.

  5. Select Register.

    After the application is created, you're taken to its App registration page that displays aro-entraid-auth.

  6. Select Certificates & secrets and select New client secret.

    • Description: Enter a description for the client secret like aro-client-secret.
    • Expires: Accept the default 180 days or select a different expiration value.

  7. Select Add.

  8. Copy the Value and store it in a safe location. You need it later and can't retrieve the value again.

  9. Select Overview and copy the Application (client) ID and Directory (tenant) ID because you use it later.

Configure optional claims

Application developers can use optional claims in their Microsoft Entra applications to specify which claims they want in tokens sent to their application.

You can use optional claims to:

  • Select other claims to include in tokens for your application.
  • Change the behavior of certain claims that Microsoft Entra ID returns in tokens.
  • Add and access custom claims for your application.

You can configure OpenShift to use the email claim and fall back to upn to set the Preferred Username by adding the upn as part of the ID token returned by Microsoft Entra ID.

Go to Token configuration and select Add optional claim. Select ID then check the email and upn claims.

Assign users and groups to the cluster (optional)

Applications registered in a Microsoft Entra tenant are, by default, available to all users of the tenant who authenticate successfully. Microsoft Entra ID allows tenant administrators and developers to restrict an app to a specific set of users or security groups in the tenant.

For more information, see assign users and groups to the app.

Configure OpenShift OpenID authentication

Retrieve the kubeadmin credentials. Run the following command to find the password for the kubeadmin user.

az aro list-credentials \
  --name $aroCluster \
  --resource-group $resourceGroup

The output displays the cluster's user name and password.

{
  "kubeadminPassword": "<generated password>",
  "kubeadminUsername": "kubeadmin"
}

You can find the cluster console URL by running the following command.

 az aro show \
  --name $aroCluster \
  --resource-group $resourceGroup \
  --query "consoleProfile.url" --output tsv

The output looks like the following example.

https://console-openshift-console.apps.<domain>.<region>.aroapp.io/

  1. Launch the console URL in a browser and sign in using the kubeadmin credentials.

  2. Go to Administration > Cluster Settings and select the Configuration tab.

  3. Scroll down and select OAuth.

  4. Scroll down to Identity Providers > Add and select OpenID Connect.

    • Name: Enter entraID.
    • Client ID: Enter your app registrations Application (client) ID.
    • Client secret: Enter your app's client secret.
    • Issuer URL: Enter https://login.microsoftonline.com/<tenantId> and replace <tenantId> with your tenant ID.

  5. Scroll down to the Claims section and update the Preferred Username to use the value upn.

  6. Select Add.

Verify sign in using Microsoft Entra ID

Sign out of the OpenShift Web Console and sign in again, and you see a new option to sign in with entraID. You might need to wait for a few minutes for the option to become available.

Screenshot that shows the Microsoft Entra ID option to sign in to an Azure Red Hat OpenShift cluster.

If you get the error AADSTS50011: The redirect URI https://oauth-openshift.apps.<domain>.<regions>.aroapp.io/oauth2callback/<identity> specified in the request doesn't match the redirect URIs configured, you can follow the troubleshooting guide for the redirect URI and Error AADSTS50011 with OpenID authentication.

Related content