LogoLogo
StackState.comDownloadSupportExplore playground
SUSE Observability
SUSE Observability
  • SUSE Observability docs!
  • Docs for all SUSE Observability products
  • 🚀Get started
    • Quick start guide
    • SUSE Observability walk-through
    • SUSE Rancher Prime
      • Air-gapped
      • Agent Air-gapped
    • SUSE Cloud Observability
  • 🦮Guided troubleshooting
    • What is guided troubleshooting?
    • YAML Configuration
    • Changes
    • Logs
  • 🚨Monitors and alerts
    • Monitors
    • Out of the box monitors for Kubernetes
    • Notifications
      • Configure notifications
      • Notification channels
        • Slack
        • Teams
        • Webhook
        • Opsgenie
      • Troubleshooting
    • Customize
      • Add a monitor using the CLI
      • Derived State monitor
      • Dynamic Threshold monitor
      • Override monitor arguments
      • Write a remediation guide
  • 📈Metrics
    • Explore Metrics
    • Custom charts
      • Adding custom charts to components
      • Writing PromQL queries for representative charts
      • Troubleshooting custom charts
    • Advanced Metrics
      • Grafana Datasource
      • Prometheus remote_write
      • OpenMetrics
  • 📑Logs
    • Explore Logs
    • Log Shipping
  • 🔭Traces
    • Explore Traces
  • 📖Health
    • Health synchronization
    • Send health data over HTTP
      • Send health data
      • Repeat Snapshots JSON
      • Transactional Increments JSON
    • Debug health synchronization
  • 🔍Views
    • Kubernetes views
    • Custom views
    • Component views
    • Explore views
    • View structure
      • Overview perspective
      • Highlights perspective
      • Topology perspective
      • Events perspective
      • Metrics perspective
      • Traces perspective
      • Filters
      • Keyboard shortcuts
    • Timeline and time travel
  • 🕵️Agent
    • Network configuration
      • Proxy Configuration
    • Using a custom registry
    • Custom Secret Management
      • Custom Secret Management (Deprecated)
    • Request tracing
      • Certificates for sidecar injection
  • 🔭Open Telemetry
    • Overview
    • Getting started
      • Concepts
      • Kubernetes
      • Kubernetes Operator
      • Linux
      • AWS Lambda
    • Open telemetry collector
      • Sampling
      • SUSE Observability OTLP APIs
    • Instrumentation
      • Java
      • Node.js
        • Auto-instrumentation of Lambdas
      • .NET
      • SDK Exporter configuration
    • Troubleshooting
  • CLI
    • SUSE Observability CLI
  • 🚀Self-hosted setup
    • Install SUSE Observability
      • Requirements
      • Kubernetes / OpenShift
        • Kubernetes install
        • OpenShift install
        • Alibaba Cloud ACK install
        • Required Permissions
        • Override default configuration
        • Configure storage
        • Exposing SUSE Observability outside of the cluster
      • Initial run guide
      • Troubleshooting
        • Advanced Troubleshooting
        • Support Package (Logs)
    • Configure SUSE Observability
      • Slack notifications
      • E-mail notifications
      • Stackpacks
      • Advanced
        • Analytics
    • Release Notes
      • v2.0.0 - 11/Sep/2024
      • v2.0.1 - 18/Sep/2024
      • v2.0.2 - 01/Oct/2024
      • v2.1.0 - 29/Oct/2024
      • v2.2.0 - 09/Dec/2024
      • v2.2.1 - 10/Dec/2024
      • v2.3.0 - 30/Jan/2025
      • v2.3.1 - 17/Mar/2025
      • v2.3.2 - 22/Apr/2025
      • v2.3.3 - 07/May/2025
    • Upgrade SUSE Observability
      • Migration from StackState
      • Steps to upgrade
      • Version-specific upgrade instructions
    • Uninstall SUSE Observability
    • Air-gapped
      • SUSE Observability air-gapped
      • SUSE Observability Kubernetes Agent air-gapped
    • Data management
      • Backup and Restore
        • Kubernetes backup
        • Configuration backup
      • Data retention
      • Clear stored data
    • Security
      • Authentication
        • Authentication options
        • Single password
        • File-based
        • LDAP
        • Open ID Connect (OIDC)
          • Microsoft Entra ID
        • KeyCloak
        • Service tokens
        • Troubleshooting
      • RBAC
        • Role-based Access Control
        • Permissions
        • Roles
        • Scopes
      • Self-signed certificates
      • External secrets
  • 🔐Security
    • Service Tokens
    • API Keys
  • ☁️SaaS
    • User Management
  • Reference
    • SUSE Observability Query Language (STQL)
    • Chart units
    • Topology Identifiers
Powered by GitBook
LogoLogo

Legal notices

  • Privacy
  • Cookies
  • Responsible disclosure
  • SOC 2/SOC 3
On this page
  • Overview
  • Configure the OIDC provider
  • Configure SUSE Observability for OIDC
  • Kubernetes
  • Setup guides
  • Using an external secret
  • See also
  1. Self-hosted setup
  2. Security
  3. Authentication

Open ID Connect (OIDC)

SUSE Observability Self-hosted

Overview

SUSE Observability can authenticate using an OIDC authentication provider. To enable this, you will need to configure both SUSE Observability and the OIDC provider to be able to talk to each other. The following sections describe the respective setups.

Configure the OIDC provider

Before you can configure SUSE Observability to authenticate using OIDC, you need to create a client for SUSE Observability on your OIDC provider. Use the following settings for the client (if needed by the OIDC provider):

  • Use the OIDC Authorization Flow, it is also often called the Authorization code flow. SUSE Observability does not support the Implicit grant and hybrid flows, so there is no need to enable support for them.

  • Set the Redirect URI to the base URL of SUSE Observability suffixed with /loginCallback. For example https://stackstate.acme.com/loginCallback. For some OIDC providers, such as Google and Azure Entra ID, the Redirect URI must match exactly, including any query parameters. In that case, you should configure the URI like this https://stackstate.acme.com/loginCallback?client_name=StsOidcClient.

  • Give SUSE Observability access to at least the scopes openid and email or the equivalent of these for your OIDC provider. Depending on the provider more scopes may be required, if a separate profile exists include it as well.

  • SUSE Observability needs OIDC offline access. For some identity providers, this requires an extra scope, usually called offline_access.

The result of this configuration should produce a clientId and a secret. Copy those and keep them around for configuring SUSE Observability. Also write down the discoveryUri of the provider. Usually this is either in the same screen or can be found in the documentation.

Configure SUSE Observability for OIDC

Kubernetes

To configure SUSE Observability to use an OIDC authentication provider on Kubernetes, OIDC details and user role mapping needs to be added to the file authentication.yaml. For example:

stackstate:
  authentication:
    oidc:
      clientId: "<client-id-from-oidc-provider>"
      secret: "<secret-from-oidc-provider>"
      discoveryUri: "https://oidc.acme.com/.well-known/openid-configuration"
      jwsAlgorithm: RS256
      scope: ["openid", "email"]
      jwtClaims:
        usernameField: email
        groupsField: groups
      customParameters:
        access_type: offline

    # map the groups from OIDC provider
    # to the 4 standard roles in SUSE Observability (guest, powerUser, k8sTroubleshooter and admin)
    roles:
      guest: ["guest-group-in-oidc-provider"]
      powerUser: ["powerUser-group-in-oidc-provider"]
      admin: ["admin-group-in-oidc-provider"]
      k8sTroubleshooter: ["troubleshooter-group-in-oidc-provider"]

Follow the steps below to configure SUSE Observability to authenticate using OIDC:

  1. In authentication.yaml - add details of the OIDC authentication provider (see the example above):

    • discoveryUri - URI that can be used to discover the OIDC provider. Normally also documented or returned when creating the client in the OIDC provider.

    • jwsAlgorithm - The default for OIDC is RS256. If your OIDC provider uses a different one, it can be set here.

    • scope - Should match, or be a subset of, the scope provided in the OIDC provider configuration. SUSE Observability uses this to request access to these parts of a user profile in the OIDC provider.

    • redirectUri - Optional (not in the example): The URI where the login callback endpoint of SUSE Observability is reachable. Populated by default using the stackstate.baseUrl, but can be overridden. This must be a fully qualified URL that points to the /loginCallback path.

    • customParameters - Optional map of key/value pairs that are sent to the OIDC provider as custom request parameters. Some OIDC providers require extra request parameters not sent by default.

    • jwtClaims -

      • usernameField - The field in the OIDC user profile that should be used as the username. By default, this will be the preferred_username, however, many providers omit this field. A good alternative is email.

      • groupsField - The field from which SUSE Observability will read the role/group for a user.

  2. Store the file authentication.yaml together with the values.yaml file from the SUSE Observability installation instructions.

  3. Run a Helm upgrade to apply the changes:

     helm upgrade \
       --install \
       --namespace suse-observability \
       --values values.yaml \
       --values authentication.yaml \
     suse-observability \
     suse-observability/suse-observability

Note:

  • The first run of the helm upgrade command will result in pods restarting, which may cause a short interruption of availability.

  • Include authentication.yaml on every helm upgrade run.

  • The authentication configuration is stored as a Kubernetes secret.

Setup guides

Using an external secret

kind: Secret
metadata:
   name: "<custom-secret-name>"
type: Opaque
data:
  oidc_client_id: <base64 of client id>
  oidc_secret: <base64 of secret>

See also

PreviousLDAPNextMicrosoft Entra ID

Last updated 4 months ago

clientId - The ID of the .

secret - The secret for the

In authentication.yaml - map user roles from OIDC to the correct SUSE Observability subjects using the roles.guest, roles.powerUser, roles.admin or roles.platformAdmin settings (see the example above). For details, see the . More SUSE Observability roles can also be created, see the .

When the oidc secrets should come from an external secret, follow but fill in the following data:

🚀
Microsoft Entra ID
Troubleshooting authentication and authorization
Authentication options
Create RBAC roles
OIDC client you created for SUSE Observability
OIDC client you created for SUSE Observability
RBAC documentation
these steps
External Secrets
default SUSE Observability roles
Permissions for predefined SUSE Observability roles