djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

changes made on ryan's review comments

Browse Source 
Signed-off-by: Anjali Telang <atelang@vmware.com>
This commit is contained in:
Anjali Telang 2021-08-28 15:59:04 -04:00
parent 4cb0152ea1
commit 23fb84029b
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
site/content/posts/2021-08-27-supporting-ad-oidc-workflows.md
View File

@ -1,7 +1,7 @@
---
title: "Pinniped v0.11.0: Easy Configurations for Active Directory, OIDC CLI workflows and more"
slug: supporting-ad-oidc-workflows
date: 2021-07-28
date: 2021-08-27
author: Anjali Telang
image: https://images.unsplash.com/photo-1574090695368-bac29418e5dc?ixid=MnwxMjA3fDB8MHxwaG90by1wYWdlfHx8fGVufDB8fHx8&ixlib=rb-1.2.1&auto=format&fit=crop&w=1350&q=80
excerpt: "With the release of v0.11.0, Pinniped offers CRDs for easy Active Directory configuration, OIDC password grant flow for CLI workflows, and Distroless images for security and performance"
@ -60,7 +60,7 @@ Heres what an example configuration looks like
password: "YOUR_PASSWORD"
```
You can also customize the userSearch and groupSearch as shown in the examples in our reference documentation [here] ({{< ref docs/howto/configure-supervisor-with-activedirectory.md" >}})
You can also customize the userSearch and groupSearch as shown in the examples in our reference documentation [here] ({{< ref "docs/howto/configure-supervisor-with-activedirectory.md" >}})
Here is an example of what the ID token claims will look like:
@ -92,7 +92,7 @@ A few considerations while configuring this on the cluster:
Confirm that Multi-factor authentication is not intended to be used on the cluster
Pinniped CLI running on your workstation and the Pinniped Supervisor backend are trusted to handle your password
With the new functionality, Users initiate pinniped get kubeconfig with a new argument --upstream-identity-provider-flow=”cli_password” to indicate their intent to use Password grant auth flow for logging into the upstream OIDC provider. By default, if no argument is specified this will follow the Browser-based auth flow. This way older Pinniped CLI versions will default to using Browser-based auth and the default for older Supervisor versions with newer CLI versions will also be Browser-based authentication.
With the new functionality, Users initiate `pinniped get kubeconfig` with a new argument `--upstream-identity-provider-flow="cli_password"` to indicate their intent to use Password grant auth flow for logging into the upstream OIDC provider. By default, if no argument is specified this will follow the Browser-based auth flow. This way older Pinniped CLI versions will default to using Browser-based auth and the default for older Supervisor versions with newer CLI versions will also be Browser-based authentication.
## Distroless-based container images