Integrate identity providers with Charmed Kubeflow

This guide describes how you can authenticate via different Identity Providers (IdP) by configuring Dex through the dex-auth charm.

When authenticating through Dex, your identity data is stored using an external user-management system, such as a LDAP directory or a GitHub organisation. Dex uses connectors to authenticate a user against an identity provider.

You can integrate the supported IdPs with dex-auth following these steps:

  1. Add a connector.
  2. Configure Dex issuer URL.

Add a connector

Each connector has its own configuration in YAML format, which is best described in each connector’s documentation.

To add a new connector, pass the configuration to dex-auth via the connectors configuration option:

juju config dex-auth connectors=@connectors.yaml

Where connectors.yaml is a .yaml file with a list of connector(s) configuration.

As an example of connector configuration, this is what you might use for connectors.yaml to configure Dex to authenticate against a Microsoft IdP:

- type: microsoft
  id: microsoft
  name: Microsoft
  config:
    clientID: $MICROSOFT_APPLICATION_ID
    clientSecret: $MICROSOFT_CLIENT_SECRET
    redirectURI: http://127.0.0.1:5556/dex/callback

Configure Dex issuer URL

When using a connector, fields like the redirectURI from the connector configuration must match the issuer-url configuration option in the dex-auth charm. To make sure that is the case, you can:

  1. Verify the current value of Dex issuer URL as follows:
juju config dex-auth issuer-url
  1. Set it to match your deployment configuration:
juju config dex-auth issuer-url=http://<domain-name>.cloudname.com/dex

For example, when using a cloud service like Azure it could look like this:

juju config dex-auth issuer-url=https://my-charmed-kubeflow.uksouth.cloudapp.azure.com/dex

After configuring this value, connectors configurations must use this value as Dex issuer URL all where it applies; otherwise this can lead to unexpected behaviour.