Cloud Experts Documentation

Configuring IDP for ROSA, OSD and ARO

Red Hat OpenShift on AWS (ROSA) and OpenShift Dedicated (OSD) provide a simple way for the cluster administrator to configure one or more identity providers for their cluster[s] via the OpenShift Cluster Manager (OCM) , while Azure Red Hat OpenShift relies on the internal cluster authentication operatorexternal link (opens in new tab) .

The identity providers available for use are:

  • GitHub
  • GitLab
  • Google
  • LDAP
  • OpenID
  • HTPasswd

Configuring Specific Identity Providers

ARO

ROSA/OSD

Configuring Group Synchronization

Configuring Microsoft Entra ID to emit group names

In this guide, we will configure an existing Microsoft Entra ID (formerly Azure Active Directory) identity provider to emit the group name instead of the group ID for optional group claims. This will allow you to reference group names in your role bindings instead of the group ID.

The ability to emit group names instead of group IDsexternal link (opens in new tab) is a preview feature made available by Microsoft and is subject to their terms and conditions around preview features of their services.

Configure Red Hat SSO with Microsoft Entra ID as a Federated Identity Provider

This guide demonstrates how to install and configure Red Hat SSO (Keycloak) into an Azure Red Hat OpenShift (ARO) cluster. It will also also configure the ARO cluster to use the SSO server as a mechanism to login by way of the OIDC protocol. In addition, Red Hat SSO can federate user identities with other identity providers. We will use Azure AD as an additional identity provider to show how this could be done.

What to consider when using Azure AD as IDP?

Author: Ricardo Macedo Martinsexternal link (opens in new tab)

May 24, 2023

In this guide, we will discuss key considerations when using Azure Active Directory (AAD) as the Identity Provider (IDP) for your ARO or ROSA cluster. Below are some helpful references:

Default Access for All Users in Azure Active Directory

Once you set up AAD as the IDP for your cluster, it’s important to note that by default, all users in your Azure Active Directory instance will have access to the cluster. They can log in using their AAD credentials through the OpenShift Web Console endpoint:

Configure Microsoft Entra ID as an OIDC identity provider for ARO with cli

The steps to add Azure AD as an identity provider for Azure Red Hat OpenShift (ARO) via cli are:

Prerequisites

Have Azure cli installed

Follow the Microsoft instuctions: https://docs.microsoft.com/en-us/cli/azure/install-azure-cliexternal link (opens in new tab)

Configure ARO to use Microsoft Entra ID

This guide demonstrates how to configure Azure AD as the cluster identity provider in Azure Red Hat OpenShift. This guide will walk through the creation of an Azure Active Directory (Azure AD) application and configure Azure Red Hat OpenShift (ARO) to authenticate using Azure AD.

This guide will walk through the following steps:

  1. Register a new application in Azure AD for authentication.
  2. Configure the application registration in Azure AD to include optional claims in tokens.
  3. Configure the Azure Red Hat OpenShift (ARO) cluster to use Azure AD as the identity provider.
  4. Grant additional permissions to individual users.

Before you Begin

If you are using zsh as your shell (which is the default shell on macOS) you may need to run set -k to get the below commands to run without errors. This is because zsh disables comments in interactive shells from being usedexternal link (opens in new tab) .

MOBB Docs and Guides - group-claims

MOBB Docs and Guides for group-claims

Using Group Sync Operator with Okta and ROSA/OSD

Thatcher Hubbard

15 July 2022

This guide focuses on how to synchronize Identity Provider (IDP) groups and users after configuring authentication in OpenShift Cluster Manager (OCM).

To set up group synchronization from Okta to ROSA/OSD you must:

  1. Define groups and assign users in Okta
  2. Install the Group Sync Operator from the OpenShift Operator Hub
  3. Create and configure a new Group Sync instance
  4. Set a synchronization schedule
  5. Test the synchronization process

Define groups and assign users in Okta

To synchronize groups and users with ROSA/OSD they must exist in Okta

Configure GitLab as an identity provider for ARO

The following instructions will detail how to configure GitLab as the identity provider for Azure Red Hat OpenShift:

  1. Register a new application in GitLab
  2. Create OAuth callback URL in ARO
  3. Log in and confirm
  4. Add administrative users or groups

Register a new application in GitLab

Log into GitLab and execute the following steps:

  1. Go to Preferences

    GitLab Preferences

  2. Select Applications from the left navigation bar

    GitLab applications

  3. Provide a Name and enter an OAuth Callback URL as the Redirect URI in GitLab

    Configure GitLab as an identity provider for ROSA/OSD

    The following instructions will detail how to configure GitLab as the identity provider for Managed OpenShift through the OpenShift Cluster Manager (OCM):

    1. Create OAuth callback URL in OCM
    2. Register a new application in GitLab
    3. Configure the identity provider credentials and URL
    4. Add cluster-admin or dedicated-admin users
    5. Log in and confirm

    Create OAuth callback URL in OCM

    Log in to the OpenShift Cluster Manager (OCM) to add a GitLab identity provider

    1. Select your cluster in OCM and then go to the ‘Access control’ tab and select ‘Identity Providers’

      Using Group Sync Operator with Azure Active Directory and ROSA

      This guide focuses on how to synchronize Identity Provider (IDP) groups and users after configuring authentication in OpenShift Cluster Manager (OCM). For an IDP configuration example, please reference the Configure Azure AD as an OIDC identity provider for ROSA/OSD guide.

      To set up group synchronization from Azure Active Directory (AD) to ROSA/OSD you must:

      1. Define groups and assign users in Azure AD
      2. Add the required API permissions to the app registration in Azure AD
      3. Install the Group Sync Operator from the OpenShift Operator Hub
      4. Create and configure a new Group Sync instance
      5. Set a synchronization schedule
      6. Test the synchronization process

      Define groups and assign users in Azure AD

      To synchronize groups and users with ROSA/OSD they must exist in Azure AD

Back to top

Interested in contributing to these docs?

Collaboration drives progress. Help improve our documentation The Red Hat Way.

GitHub Edit this page
Red Hat logo LinkedIn YouTube Facebook Twitter

Products

Tools

Try, buy & sell

Communicate

About Red Hat

We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Subscribe to our newsletter, Red Hat Shares

Sign up now © 2026 Red Hat