You can configure Microsoft Entra ID (formerly Azure Active Directory) as the cluster identity provider in Red Hat OpenShift Service on AWS (ROSA).

This tutorial guides you to complete the following tasks:

  1. Register a new application in Entra ID for authentication.

  2. Configure the application registration in Entra ID to include optional and group claims in tokens.

  3. Configure the Red Hat OpenShift Service on AWS cluster to use Entra ID as the identity provider.

  4. Grant additional permissions to individual groups.


Registering a new application in Entra ID for authentication

To register your application in Entra ID, first create the OAuth callback URL, then register your application.

  1. Create the cluster’s OAuth callback URL by changing the specified variables and running the following command:

    Remember to save this callback URL; it will be required later in the process.

    $ domain=$(rosa describe cluster -c <cluster_name> | grep "DNS" | grep -oE '\S+.openshiftapps.com')
    $ echo "OAuth callback URL: https://oauth-openshift.apps.$domain/oauth2callback/AAD"

    The "AAD" directory at the end of the OAuth callback URL must match the OAuth identity provider name that you will set up later in this process.

  2. Create the Entra ID application by logging in to the Azure portal, and select the App registrations blade. Then, select New registration to create a new application.

    Azure Portal - App registrations blade

  3. Name the application, for example openshift-auth.

  4. Select Web from the Redirect URI dropdown and enter the value of the OAuth callback URL you retrieved in the previous step.

  5. After providing the required information, click Register to create the application.

    Azure Portal - Register an application page

  6. Select the Certificates & secrets sub-blade and select New client secret.