-
Go to your IAS tenant admin page: https://mytenant.accounts.ondemand.com/admin
-
Go to Applications & Resources -> Tenant Settings -> OpenID Connect Configuration, and select the Name value from a dropdown list. Choose the one starting with https.
-
Go to Applications & Resources -> Applications and add new Application. Name it (e.g. kyma) and configure it:
- set Type to OpenID Connect
- in OpenID Connect Configuration set name (kyma) and add RedirectURI: https://dex.mykymacluster.domain/callback
- set HTTP Basic Authentication: provide password and copy generated User ID (e.g. T000005)
- in Assertion Attributes make sure User Attribute E-mail is mapped to Assertion Attribute
email
(notmail
), and First Name toname
-
Edit dex config map:
kubectl edit configmap -n kyma-system dex-config
-
Add section:
connectors: - type: oidc id: ias name: SAP IAS config: issuer: https://mytenant.accounts.ondemand.com clientID: T000004 clientSecret: SecretPasswordYouCreatedInHttpBasicAuthentication redirectURI: https://dex.mykymacluster.domain/callback scopes: - openid insecureSkipEmailVerified: true userIdKey: email
-
Find DEX pod.
kubectl get pods -n kyma-system
-
Delete Dex pod (replace pod name with the result from previous command)
kubectl delete pod -n kyma-system dex-866c9f8d87-vspc9
-
Add user permissions (create role binding for users authenticated by IAS)
cat <<EOF | kubectl apply -f - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: john-smith-kyma-admin-binding subjects: - kind: User name: john.smith@example.com apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: kyma-admin apiGroup: rbac.authorization.k8s.io EOF
SAP IAS doesn't send email_verified
claim. DEX has some workaround for that (insecureSkipEmailVerified: true
) but it is not working in the current version. You have to patch DEX deployment with the image that contain fix for this bug
kubectl edit deployment dex -n kyma-system
Replace dex image with pbochynski/dex:2.16.0-pr1456
I am not an expert on IAS, but can we not use the assertion attribute mapping of IAS to add the fixed claim "email_verified" to static value like true or false - or whatever is appropriate. In that case, we could avoid the needed code-fix for DEX.