Red Hat SummitEste conteúdo não está disponível no idioma selecionado.
Chapter 9. Configuring Microsoft Entra ID as an OpenID Connect provider for Trusted Profile Analyzer
You can use Microsoft Entra ID as your OpenID Connect (OIDC) provider for the Red Hat Trusted Profile Analyzer (RHTPA) service. You can decide to configure Microsoft Entra ID during the deployment of RHTPA, or at a later time.
Integrating Microsoft Entra ID into RHTPA requires no subscriptions.
Prerequisites
- Red Hat OpenShift Container Platform 4.16 or later.
- Access to the OpenShift web console.
- A Microsoft Azure account with permissions to create application registrations.
- A Microsoft Entra ID tenant.
Procedure
Create an API application registration.
- Go to the Azure portal and navigate to Microsoft Entra ID > App registrations > New registration.
Fill out the following fields for your application registration:
- Name : Add a descriptive name for your application registration, such as RHTPA API.
- Supported account types : Choose the appropriate option, Single tenant or Multi-tenant, based on your requirements.
- Redirect URI : Leave blank, as this is not required for the API.
- Click Register to create the application registration.
- After the application registration is created, make note of the Application (client) ID and Directory (tenant) ID values from the application overview page. You will need these values later.
Configure the application registration to expose an API.
- In the application registration overview page, navigate to Expose an API.
- Click Add next to Application ID URI, accept the default value, and click Save.
Define the scopes for client requests.
- In the Expose an API section, click Add a scope.
Create a scope for creating documents using the following values:
- Scope name : create:document
- Who can consent? : Admins and users
- Admin consent display name : Create documents in RHTPA
- Admin consent description : Allows the application to create documents in RHTPA
- User consent display name : Create documents in RHTPA
- User consent description : Allows the application to create documents in RHTPA
- State : Enabled
- Click Add scope to save the scope.
Create a scope for reading documents using the following values:
- Scope name : read:document
- Who can consent? : Admins and users
- Admin consent display name : Read documents in RHTPA
- Admin consent description : Allows the application to read documents in RHTPA
- User consent display name : Read documents in RHTPA
- User consent description : Allows the application to read documents in RHTPA
- State : Enabled
- Click Add scope to save the scope.
Create a scope for updating documents using the following values:
- Scope name : update:document
- Who can consent? : Admins and users
- Admin consent display name : Update documents in RHTPA
- Admin consent description : Allows the application to update documents in RHTPA
- User consent display name : Update documents in RHTPA
- User consent description : Allows the application to update documents in RHTPA
- State : Enabled
- Click Add scope to save the scope.
Create a scope for deleting documents using the following values:
- Scope name : delete:document
- Who can consent? : Admins and users
- Admin consent display name : Delete documents in RHTPA
- Admin consent description : Allows the application to delete documents in RHTPA
- User consent display name : Delete documents in RHTPA
- User consent description : Allows the application to delete documents in RHTPA
- State : Enabled
- Click Add scope to save the scope.
Once finished, you should have the following scopes defined for your application registration:
-
api://{API_CLIENT_ID}/create:document -
api://{API_CLIENT_ID}/read:document -
api://{API_CLIENT_ID}/update:document -
api://{API_CLIENT_ID}/delete:document
-
Create a client secret for service-to-service authentication.
This is useful for making API calls from backend services or command-line tools.
- Click Certificates & secrets from the navigation menu.
- Click New client secret.
- Add a description, such as CLI Access.
- Select a expiration period appropriate for your environment.
Click Add to create the client secret.
ImportantMake sure to copy the client secret value immediately after creation, as it will not be shown again. You will need this value for authentication.
Configure the token version.
- Click Manifest from the navigation menu.
Find the accessTokenAcceptedVersion property in the JSON file, and set change its value from
null`to `2:"accessTokenAcceptedVersion": 2This ensures that tokens are using the v2.0 format.
- Click Save to save the manifest changes.
Add application roles with
scopeMappingsfor admin consent.- Click App roles from the navigation menu.
- Click Create app role.
Create roles for each permission, as follows:
-
Value:
App.Read.Document, Allowed member types:Applications -
Value:
App.Create.Document, Allowed member types:Applications -
Value:
App.Update.Document, Allowed member types:Applications -
Value:
App.Delete.Document, Allowed member types:Applications
-
Value:
- Click Apply to save each application role.
- Navigate to API permissions > Add a permission > My APIs, and select the API application registration you created earlier.
-
Check the boxes for the
App.Read.Document,App.Create.Document,App.Update.Document, andApp.Delete.Documentapplication roles, and click Add permissions to save. - Click Grant admin consent to grant consent for the application roles you just added.
Create the front-end application registration.
- From the Microsoft Entra ID menu, navigate to App registrations > New registration.
Fill out the following fields for your application registration:
- Name : Add a descriptive name for your application registration, such as RHTPA UI.
- Supported account types : Choose the appropriate option, Single tenant or Multi-tenant, based on your requirements.
- Redirect URI > Platform : Select Single-page application (SPA).
-
Redirect URI > URI : Enter the URL where your front-end application is hosted, such as
https://rhtpa.apps.example.com/.
Click Register to create the application registration.
NoteYour Application (client) ID is also your Frontend Client ID.
Optional. To allow the front-end application to request tokens on behalf of the user.
- In the Expose an API section, click Authorized client applications.
- Click Add a client application.
- Enter the Frontend Client ID.
- Check all the boxes for the scopes you want to allow the front-end application to request on behalf of the user.
- Click Add application to save the authorized client application.
Configure the authentication settings.
- Click Authentication from the navigation menu.
Check the following settings:
- Redirect URIs : Ensure the correct redirect URIs are listed for your front-end application.
- Implicit grant and hybrid flows : Do not check the boxes for Access tokens or ID tokens.
- Advanced settings > Allow public client flows : Set to No.
- Select Single-page application.
- Click Save to save the authentication settings changes.
Configure the API permissions.
Click API permissions from the navigation menu.
You can keep Microsoft Graph with User.Read permission.
- Click Add a permission.
- Click the My APIs tab.
- Select the RHTPA API application registration you created earlier.
- Click Delegated permissions.
- Check all the boxes for the scopes you defined earlier.
- Click Add permissions to save the API permissions.
- Optional. You can also grant admin consent for pre-approving the API permissions to avoid users having to consent individually when they log in for the first time. You can do this by clicking Grant admin consent, and then clicking Yes.
Configure the token version.
- Click Manifest from the navigation menu.
Find the accessTokenAcceptedVersion property in the JSON file, and set change its value from
null`to `2:"accessTokenAcceptedVersion": 2This ensures that tokens are using the v2.0 format.
- Click Save to save the manifest changes.
You now have the Tenant ID, API Client ID, Frontend Client ID, Client Secret, and Scopes values that you need to add Microsoft Entra ID as your OIDC provider in the RHTPA configuration.
Your Issuer URL will be in the format,
https://login.microsoftonline.com/TENANT_ID/v2.0, and the token endpoint will behttps://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/token.Create a new configuration map for the scope assignments.
- Open a terminal on your workstation.
Create a new
auth.yamlfile:$ touch auth.yamlCopy this content to the clipboard:
authentication: clients: # Microsoft Entra ID Frontend Client (for user sign-in) - clientId: FRONTEND_CLIENT_ID issuerUrl: https://login.microsoftonline.com/TENANT_ID/v2.0 requiredAudience: API_CLIENT_ID scopeMappings: "read:document": - "ai" - "read.sbom" - "read.advisory" - "read.importer" - "read.metadata" - "read.sbomGroup" - "read.weakness" - "read.systemInformation" "create:document": - "create.sbom" - "create.advisory" - "create.importer" - "create.metadata" - "create.sbomGroup" - "create.weakness" - "update.sbom" - "update.advisory" - "update.importer" - "update.metadata" - "update.sbomGroup" - "update.weakness" - "upload.dataset" "update:document": - "update.sbom" - "update.advisory" - "update.importer" - "update.metadata" - "update.sbomGroup" - "update.weakness" "delete:document": - "delete.sbom" - "delete.advisory" - "delete.importer" - "delete.metadata" - "delete.sbomGroup" - "delete.vulnerability" - "delete.weakness" # Microsoft Entra ID CLI/API Client (for client credentials) - clientId: API_CLIENT_ID issuerUrl: https://login.microsoftonline.com/TENANT_ID/v2.0 requiredAudience: API_CLIENT_ID # Extract from 'scope', 'scp', or 'roles' claims scopeSelector: "$['scope','scp','roles']" scopeMappings: # App roles from 'roles' claim "App.Read.Document": - "ai" - "read.sbom" - "read.advisory" - "read.importer" - "read.metadata" - "read.sbomGroup" - "read.weakness" - "read.systemInformation" "App.Create.Document": - "create.sbom" - "create.advisory" - "create.importer" - "create.metadata" - "create.sbomGroup" - "create.weakness" - "update.sbom" - "update.advisory" - "update.importer" - "update.metadata" - "update.sbomGroup" - "update.weakness" - "upload.dataset" "App.Update.Document": - "update.sbom" - "update.advisory" - "update.importer" - "update.metadata" - "update.sbomGroup" - "update.weakness" "App.Delete.Document": - "delete.sbom" - "delete.advisory" - "delete.importer" - "delete.metadata" - "delete.sbomGroup" - "delete.vulnerability" - "delete.weakness"-
Open the
auth.yamlfile for editing. -
Paste the clipboard contents into the
auth.yamlfile, and replace theTENANT_ID,API_CLIENT_ID, andFRONTEND_CLIENT_IDplaceholders with your values. -
Save and close the
auth.yamlfile - Log in to the OpenShift web console.
- From the navigation menu, expand Workloads, click ConfigMaps.
- Click the Create ConfigMap button.
-
In the Name field, set the value to
server-entra-auth, and leave the Immutable checkbox unchecked. -
In the Key field, set the value to
auth.yaml. - On the Value field, click the Browse… button.
-
Browse to the newly created
auth.yamlfile, and select it. - Click the *Create button.
Open the
values-rhtpa.yamlHelm chart file for editing.Update the
oidcsection with the following values:... oidc: issuerUrl: https://login.microsoftonline.com/TENANT_ID/v2.0 uiScope: "openid profile email offline_access api://API_CLIENT_ID/create:document api://API_CLIENT_ID/read:document api://API_CLIENT_ID/update:document api://API_CLIENT_ID/delete:document" loadUser: false clients: frontend: clientId: FRONTEND_CLIENT_ID cli: clientId: API_CLIENT_ID clientSecret: CLIENT_SECRET ...Replace the
API_CLIENT_ID,FRONTEND_CLIENT_ID, andCLIENT_SECRETplaceholders with your values.Also, under the
oidcsection, set theloadUseroption tofalse.Under the
authenticatorsection, add the new configuration map reference as follows:... authenticator: configMapRef: name: server-entra-auth key: auth.yaml ...-
Save and close the
values-rhtpa.yamlHelm chart file.
If you are configuring Microsoft Entra ID during the deployment of RHTPA, continue with the installation procedure.
If you are configuring Microsoft Entra ID after RHTPA is deployed, you need to upgrade your RHTPA Helm release to apply the new OIDC configuration. You can do this by running the following command:
$ helm upgrade --install redhat-trusted-profile-analyzer openshift-helm-charts/redhat-trusted-profile-analyzer -n $NAMESPACE --values values-rhtpa.yaml --values values-importers.yaml --set-string appDomain=$APP_DOMAIN_URL
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}