In my current project we have an ARO 4 cluster that currently has the project’s Active Directory configured for login. cf. Now I was intrigued whether our Azure AD (where only the Ops team has accounts) could be connected and found Azure Active Directory Integration With OpenShift 4 ARO 4.
I hoped to reduce the time I need to spend when copying around my login token for oc
command. With LDAP I am forced toeach time enter my username and password.
With Azure AD I have SSO, so as long as my SSO session is valid I can get my token without any click by simply opening the page from history by typing “token” in the address bar and selecting the first entry.
I basically skipped everything from the guid as cluster already exists.
I made the changes to the auto-generated ARO Service Principal via Portal (aro-<generated id>
under Azure Active Directory → App registrations).
I added the redirect URI as described in the guide and then configured the Optional Claims (upn
, email
) via Portal (under Token Configuration).
Azure Portal asked whether it should grant the application the appropriate permissions for the claims, so I didn’t need to change the permissions myself.
(i.e. Add API Permission to the Service Principal was not necessary.)
After successfully logging in via AAD, my new user was there. But I had no permissions, obviously.
I already have a user that is in groups synced from project-AD, but with different name.
After checking whether maybe Azure AD roles could be used, but that is not supported yet(see also RFE-106, so I decided to go another route: Assigning the identity from AAD to my (project-)AD User.
After playing a little bit around, locking my account out of the cluster, needing to revert to kubeadmin I found the (manual) steps necessary:
oc get identity
oc edit user <your user>
(under identities)uid
.user
in the AAD identity to match your user’s name
and uid
: oc edit identity <aad identity>