DO380 - ch01s08

Bookmark this page

Guided Exercise: Solve User Sync Conflicts

Solve conflicts when synchronizing users from more than one identity provider.

Outcomes

Synchronize users and groups from Red Hat SSO to OpenShift.
Solve conflicts when synchronizing a user from more than one IdP.

As the student user on the workstation machine, use the lab command to prepare your environment for this exercise, and to ensure that all required resources are available.

[student@workstation ~]$ lab start auth-conflict

Instructions

In this exercise, you solve the conflicts that appear when two IdPs provide the same user.

As a use case, the lab script configures Red Hat SSO and htpasswd as OpenShift IdPs.

The htpasswd IdP provides the abbyquincy user with redhat_htpasswd as the password.

Red Hat SSO provides the abbyquincy user with redhat_sso as the password in the external_providers realm.

Log in as the abbyquincy user through the htpasswd IdP. The user also exists in Red Hat SSO. Try to synchronize the user from both IdPs.

Log in as the abbyquincy user through the htpasswd IdP.
Note
If you get a 401 login error, then wait for a few moments for the openshift-authentication pods to re-create, or check them by logging in as an administrator and using the oc get pods -n openshift-authentication command.
```
[student@workstation ~]$ oc login -u abbyquincy -p redhat_htpasswd \
  https://api.ocp4.example.com:6443
Login successful.
...output omitted...
```

Verify that OpenShift correctly synchronizes the user from Red Hat SSO the first time that they log in.

[student@workstation ~]$ oc login -u admin -p redhatocp
...output omitted...
[student@workstation ~]$ oc get users
NAME           UID           FULL NAME      IDENTITIES
abbyquincy     d43c5583-...                 htpasswd_provider:abbyquincy
admin          00fed1ea-...  Administrator  Red Hat Identity Management:dWlk...

Try to log in as the abbyquincy user through Red Hat SSO.

[student@workstation ~]$ oc login -u abbyquincy -p redhat_sso
Error from server (InternalError): Internal error occurred: unexpected response: 500

Review the logs for the authentication pods to find the login error. OpenShift cannot synchronize the user from Red Hat SSO, because the identity was synchronized from the htpasswd IdP, and the mappingMethod parameter for both IdPs is set to claim. The pod names might differ on your system.

[student@workstation ~]$ oc get pods -n openshift-authentication
NAME                               READY   STATUS    RESTARTS   AGE
oauth-openshift-69df8585dc-rhh7j   1/1     Running   0          4m46s
oauth-openshift-69df8585dc-rwvzb   1/1     Running   0          5m42s
oauth-openshift-69df8585dc-zlkzd   1/1     Running   0          5m14s
[student@workstation ~]$ oc logs oauth-openshift-69df8585dc-zlkzd \
  -n openshift-authentication
...output omitted...
E0530 10:08:47.093542       1 basicauth.go:45] Error authenticating login "abbyquincy" with provider "RHSSO_OIDC": user "abbyquincy" cannot be claimed by identity "RHSSO_OIDC:a175e1b7-6210-40f8-aeda-732021142e84" because it is already mapped to [htpasswd_provider:abbyquincy]
E0530 10:08:47.093841       1 errorpage.go:28] AuthenticationError: user "abbyquincy" cannot be claimed by identity "RHSSO_OIDC:a175e1b7-6210-40f8-aeda-732021142e84" because it is already mapped to [htpasswd_provider:abbyquincy]

Change the OIDC Red Hat SSO mappingMethod parameter from claim to add, so OpenShift adds the identity from Red Hat SSO to the user.

Change the OIDC Red Hat SSO mappingMethod parameter from claim to add. You can find the YAML file for the OAuth CR in the /home/student/DO380/labs/auth-conflict/oauth_config.yml file.

apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
  name: cluster
spec:
  identityProviders:
...output omitted...
  - openID:
...output omitted...
    mappingMethod: add
    name: RHSSO_OIDC
    type: OpenID

Apply the OAuth CR YAML file to the cluster.

[student@workstation ~]$ oc apply -f ~/DO380/labs/auth-conflict/oauth_config.yml
oauth.config.openshift.io/cluster configured

Wait for the OAuth pods to redeploy.

[student@workstation ~]$ watch oc get pods -n openshift-authentication
Every 2.0s: oc get pods -n openshift-authentication  workstation: Tue May 30 06:17:27 2023

NAME                              READY   STATUS    RESTARTS   AGE
oauth-openshift-f94c8d5fd-8w9nb   1/1     Running   0          92s
oauth-openshift-f94c8d5fd-jnt8r   1/1     Running   0          63s
oauth-openshift-f94c8d5fd-vk79l   1/1     Running   0          35s
^C

Try to log in again as the abbyquincy user through Red Hat SSO.

[student@workstation ~]$ oc login -u abbyquincy -p redhat_sso
Login successful.
...output omitted...

Verify that OpenShift correctly synchronizes the user from Red Hat SSO. Verify that the abbyquincy user has two identities, one from each of the two IdPs.

[student@workstation ~]$ oc login -u admin -p redhatocp
...output omitted...
[student@workstation ~]$ oc get users
NAME           UID           FULL NAME      IDENTITIES
abbyquincy     d43c5583-...                 htpasswd_provider:abbyquincy,
                                            RHSSO_OIDC:a175e1b7-...
admin          00fed1ea-...  Administrator  Red Hat Identity Management:dWlk...

Finish

On the workstation machine, use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish auth-conflict

Discuss Red Hat OpenShift Administration III: Scaling Deployments in the Enterprise

Go to community

Welcome to Red Hat OpenShift Administration III: Scaling Kubernetes Deployments in the Enterprise!

Syed

12 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat OpenShift Administration III: Scaling Kubernetes Deployments in the Enterprise! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to DO378.Read more about Red Hat OpenShift Administration III: Scaling Kubernetes Deployments in the Enterprise here.

Revision: do380-4.14-397a507

Red Hat OpenShift Administration III: Scaling Deployments in the Enterprise

Guided Exercise: Solve User Sync Conflicts

Note