Open ID Connect (OIDC)
SUSE Observability Self-hosted
Overview
SUSE Observability can authenticate using an OIDC authentication provider. To enable this, you will need to configure both SUSE Observability and the OIDC provider to be able to talk to each other. The following sections describe the respective setups.
Configure the OIDC provider
Before you can configure SUSE Observability to authenticate using OIDC, you need to create a client for SUSE Observability on your OIDC provider. Use the following settings for the client (if needed by the OIDC provider):
Use the OIDC Authorization Flow, it is also often called the Authorization code flow. SUSE Observability does not support the Implicit grant and hybrid flows, so there is no need to enable support for them.
Set the Redirect URI to the base URL of SUSE Observability suffixed with
/loginCallback
. For examplehttps://stackstate.acme.com/loginCallback
. For some OIDC providers, such as Google and Azure Entra ID, the Redirect URI must match exactly, including any query parameters. In that case, you should configure the URI like thishttps://stackstate.acme.com/loginCallback?client_name=StsOidcClient
.Give SUSE Observability access to at least the scopes
openid
andemail
or the equivalent of these for your OIDC provider. Depending on the provider more scopes may be required, if a separateprofile
exists include it as well.SUSE Observability needs OIDC offline access. For some identity providers, this requires an extra scope, usually called
offline_access
.
The result of this configuration should produce a clientId and a secret. Copy those and keep them around for configuring SUSE Observability. Also write down the discoveryUri of the provider. Usually this is either in the same screen or can be found in the documentation.
Configure SUSE Observability for OIDC
Kubernetes
To configure SUSE Observability to use an OIDC authentication provider on Kubernetes, OIDC details and user role mapping needs to be added to the file authentication.yaml
. For example:
Follow the steps below to configure SUSE Observability to authenticate using OIDC:
In
authentication.yaml
- add details of the OIDC authentication provider (see the example above):clientId - The ID of the OIDC client you created for SUSE Observability.
secret - The secret for the OIDC client you created for SUSE Observability
discoveryUri - URI that can be used to discover the OIDC provider. Normally also documented or returned when creating the client in the OIDC provider.
jwsAlgorithm - The default for OIDC is
RS256
. If your OIDC provider uses a different one, it can be set here.scope - Should match, or be a subset of, the scope provided in the OIDC provider configuration. SUSE Observability uses this to request access to these parts of a user profile in the OIDC provider.
redirectUri - Optional (not in the example): The URI where the login callback endpoint of SUSE Observability is reachable. Populated by default using the
stackstate.baseUrl
, but can be overridden. This must be a fully qualified URL that points to the/loginCallback
path.customParameters - Optional map of key/value pairs that are sent to the OIDC provider as custom request parameters. Some OIDC providers require extra request parameters not sent by default.
jwtClaims -
usernameField - The field in the OIDC user profile that should be used as the username. By default, this will be the
preferred_username
, however, many providers omit this field. A good alternative isemail
.groupsField - The field from which SUSE Observability will read the role/group for a user.
In
authentication.yaml
- map user roles from OIDC to the correct SUSE Observability subjects using theroles.guest
,roles.powerUser
,roles.admin
orroles.platformAdmin
settings (see the example above). For details, see the default SUSE Observability roles. More SUSE Observability roles can also be created, see the RBAC documentation.Store the file
authentication.yaml
together with thevalues.yaml
file from the SUSE Observability installation instructions.Run a Helm upgrade to apply the changes:
Note:
The first run of the helm upgrade command will result in pods restarting, which may cause a short interruption of availability.
Include
authentication.yaml
on everyhelm upgrade
run.The authentication configuration is stored as a Kubernetes secret.
Setup guides
Using an external secret
When the oidc secrets should come from an external secret, follow these steps but fill in the following data:
See also
Last updated