This content is intended for system admins.
This guide describes how you can authenticate in Charmed Kubeflow (CKF) via different Identity Providers (IdP) by configuring Dex.
When authenticating through Dex, your identity data is stored using an external user-management system, such as a LDAP directory or a GitHub organisation. Dex uses connectors to authenticate a user against an identity provider.
You can integrate the supported IdPs with dex-auth charm following these steps:
Add a connector
Each connector has its own configuration in YAML format, which is best described in each connector’s documentation.
To add a new connector, pass the configuration to dex-auth via the connectors configuration option:
juju config dex-auth connectors=@connectors.yaml
Where connectors.yaml is a .yaml file with a list of connector(s) configuration.
As an example of connector configuration, this is what you might use for connectors.yaml to configure Dex to authenticate against a Microsoft IdP:
- type: microsoft
id: microsoft
name: Microsoft
config:
clientID: $MICROSOFT_APPLICATION_ID
clientSecret: $MICROSOFT_CLIENT_SECRET
redirectURI: http://127.0.0.1:5556/dex/callback
Configure Dex issuer URL
When using a connector, fields like the redirectURI from the connector configuration must match the issuer-url configuration option in the dex-auth charm. To make sure that is the case, you can:
- Verify the current value of Dex issuer URL as follows:
juju config dex-auth issuer-url
- Set it to match your deployment configuration:
juju config dex-auth issuer-url=http://<domain-name>.cloudname.com/dex
For example, when using a cloud service like Azure it could look like this:
juju config dex-auth issuer-url=https://my-charmed-kubeflow.uksouth.cloudapp.azure.com/dex
After configuring this value, connectors configurations must use this value as Dex issuer URL all where it applies; otherwise this can lead to unexpected behaviour.