djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add AD changes

Browse Source 
Signed-off-by: Anjali Telang <atelang@vmware.com>
This commit is contained in:
Anjali Telang 2021-08-30 21:04:48 -04:00
parent 23fb84029b
commit ba1470ea9d
1 changed files with 13 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
site/content/posts/2021-08-27-supporting-ad-oidc-workflows.md
View File

@ -62,24 +62,20 @@ Heres what an example configuration looks like
You can also customize the userSearch and groupSearch as shown in the examples in our reference documentation [here] ({{< ref "docs/howto/configure-supervisor-with-activedirectory.md" >}}) You can also customize the userSearch and groupSearch as shown in the examples in our reference documentation [here] ({{< ref "docs/howto/configure-supervisor-with-activedirectory.md" >}})
Here is an example of what the ID token claims will look like: In the above example, users will be able to login with either their sAMAccountName (i.e. pinny), userPrincipalName (i.e. pinny@activedirectory.example.com) or mail attribute. This reduces the need to tell users what specific value from AD must be provided in the username field. Regardless of what value the user provides in the username field, the userPrincipalName will be used as the identity in Kubernetes clusters. UPN is used as the username attribute by default as it is unique within an AD forest. Similarly, a UPN is generated for each group using its sAMAccountName attribute and the AD domain hostname. The default AD configuration finds both direct and nested groups.
```yaml After logging in, running the `pinniped whoami` command displays:
aud: ```
- pinniped-cli Current cluster info:
auth_time: 1630094468
exp: 1630094589 Name: cluster-name
groups: URL: https://cluster.example.com
- Mammals@activedirectory.test.example.com
- Marine Mammals@activedirectory.test.example.com Current user info:
iat: 1630094469
iss: https://pinniped-supervisor-clusterip.supervisor.svc.cluster.local/some/path Username: pinny@activedirectory.example.com
jti: 191709eb-b2fd-47e0-97f4-a06c48330c3a Groups: Mammals@activedirectory.example.com, Marine Mammals@activedirectory.test.example.com, system:authenticated
nonce: c772c414388482163515103110cfcdfc ```
rat: 1630094468
sub: ldaps://activedirectory.test.example.com:636?base=DC%3Dactivedirectory%2CDC%3Dtest%2CDC%3Dexample%2CDC%3Dcom&sub=04030201-0605-0807-0910-111213141516
username: pinny@activedirectory.test.example.com
```
## OIDC CLI-based workflows ## OIDC CLI-based workflows