Skip to content

Instantly share code, notes, and snippets.

@pbochynski

pbochynski/oidc-sap-ias.md

Last active October 21, 2022 07:12
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save pbochynski/dde8637983a07d41f84c3d7f5eaa77d5 to your computer and use it in GitHub Desktop.
Save pbochynski/dde8637983a07d41f84c3d7f5eaa77d5 to your computer and use it in GitHub Desktop.
Download ZIP
Configure Kyma with SAP IAS (oidc connector)
Raw
oidc-sap-ias.md

Configure IAS tenant

  1. Go to your IAS tenant admin page: https://mytenant.accounts.ondemand.com/admin

  2. Go to Applications & Resources -> Tenant Settings -> OpenID Connect Configuration, and select the Name value from a dropdown list. Choose the one starting with https.

  3. Go to Applications & Resources -> Applications and add new Application. Name it (e.g. kyma) and configure it:

    • set Type to OpenID Connect
    • in OpenID Connect Configuration set name (kyma) and add RedirectURI: https://dex.mykymacluster.domain/callback
    • set HTTP Basic Authentication: provide password and copy generated User ID (e.g. T000005)
    • in Assertion Attributes make sure User Attribute E-mail is mapped to Assertion Attribute email (not mail), and First Name to name

Configure Kyma

  1. Edit dex config map:

    kubectl edit configmap -n kyma-system dex-config

  2. Add section:

       connectors:
    - type: oidc
      id: ias
      name: SAP IAS
      config:
        issuer: https://mytenant.accounts.ondemand.com
        clientID: T000004
        clientSecret: SecretPasswordYouCreatedInHttpBasicAuthentication
        redirectURI: https://dex.mykymacluster.domain/callback
        scopes:
        - openid
        insecureSkipEmailVerified: true
        userIdKey: email

  3. Find DEX pod.

    kubectl get pods -n kyma-system

  4. Delete Dex pod (replace pod name with the result from previous command)

    kubectl delete pod -n kyma-system dex-866c9f8d87-vspc9

  5. Add user permissions (create role binding for users authenticated by IAS)

    cat <<EOF | kubectl apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: john-smith-kyma-admin-binding
subjects:
- kind: User
  name: john.smith@example.com
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: kyma-admin
  apiGroup: rbac.authorization.k8s.io
EOF

Additional steps

SAP IAS doesn't send email_verified claim. DEX has some workaround for that (insecureSkipEmailVerified: true) but it is not working in the current version. You have to patch DEX deployment with the image that contain fix for this bug

kubectl edit deployment dex -n kyma-system

Replace dex image with pbochynski/dex:2.16.0-pr1456

@ormos
Copy link

ormos commented May 29, 2019

I am not an expert on IAS, but can we not use the assertion attribute mapping of IAS to add the fixed claim "email_verified" to static value like true or false - or whatever is appropriate. In that case, we could avoid the needed code-fix for DEX.

@pbochynski
Copy link
Author

pbochynski commented May 29, 2019
edited

I tried. You can add default attribute email_verified with value true. But IAS returns all the attributes as strings. DEX expects boolean value as described in the OpenID Connect standard and crashes on the string.
BTW: the bug in DEX is already fixed and merged to master.

@ormos
Copy link

ormos commented May 29, 2019

Ok got it. So IAS is not really standard compliant here - or as alternative DEX could parse the boolean value a little bit more relaxed also as a string.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment