An authentication provider connects to a third-party source of user identity (for example, an identity provider or IDP), gets the user identity, issues a token based on that identity, and returns the token to Red Hat Advanced Cluster Security for Kubernetes (RHACS). This token allows RHACS to authorize the user. RHACS uses the token within the user interface and API calls.
After installing RHACS, you must set up your IDP to authorize users.
If you are using OpenID Connect (OIDC) as your IDP, RHACS relies on mapping rules that examine the values of specific claims like
A claim is the data an identity provider includes about a user inside the token they issue.
Using claim mappings, you can specify if RHACS should customize the claim attribute it receives from an IDP to another attribute in the RHACS-issued token. If you do not use the claim mapping, RHACS does not include the claim attribute in the RHACS-issued token.
For example, you can map from
roles in the user identity to
groups in the RHACS-issued token using claim mapping.
RHACS uses different default claim mappings for every authentication provider.
The following list provides the default OIDC claim mappings:
Auth0 default claim mappings are the same as the OIDC default claim mappings.
The following list applies to SAML 2.0 default claim mappings:
Subject.NameID is mapped to
AttributeStatement.Attribute from the response gets mapped to its name
The following list provides the Google IAP default claim mappings:
User certificates differ from all other authentication providers because instead of communicating with a third-party IDP, they get user information from certificates used by the user.
The default claim mappings for user certificates include:
Subject → Common Name to
Subject → Organizational Unit to
To authorize users, RHACS relies on mapping rules that examine the values of specific claims such as
name from the user identity.
Rules allow mapping of users who have attributes with a specific value to a specific role. As an example, a rule could include the following:`key` is
If the claim is missing, the mapping cannot succeed, and the user does not get access to the required resources.
Therefore, to enable successful mapping, you must ensure that the authentication response from your IDP includes the required claims to authorize users, for example,
RHACS assigns a minimum access role to every caller with a RHACS token issued by a particular authentication provider. The minimum access role is set to
None by default.
For example, suppose there is an authentication provider with the minimum access role of
Analyst. In that case, all users who log in using this provider will have the
Analyst role assigned to them.
Required attributes can restrict issuing of the RHACS token based on whether a user identity has an attribute with a specific value.
For example, you can configure RHACS only to issue a token when the attribute with key
is_internal has the attribute value
Users with the attribute
is_internal set to
false or not set do not get a token.