Chapter 1. Getting started with Red Hat OpenShift Service on AWS in AWS GovCloud

Procedure

1. Navigate to the ROSA GovCloud access request form.
2. Complete the access request form.

3. Click Submit to sign up. You receive a Submission confirmation.

   Red Hat’s confirmed stateside support team contacts you through email for the following information:

   • Admin details to include your organization name, administrator first and surname and administrator email.

   • User authentication option to the FedRAMP Hybrid Cloud Console from one of the following two options:

     • Local group in a Red Hat managed Keycloak instance, where users will be required to setup multifactor authentication (MFA) with an approved device.

       Note

       Only device YubiKEY 5C NFC FIPS currently accepted.

     • Customer managed Identity Provider (IdP), integrated via OpenID Connect (OIDC), where you will need to provide the following:

       • Discovery Endpoint: The IdP’s OIDC discovery URL (typically ending in /.well-known/openid-configuration). This allows Keycloak to automatically fetch most of the IdP’s settings.
       • Client ID and secret: Credentials that allow Keycloak to authenticate with the customer’s IdP.
       • Email domain(s): A list of approved email domains. Only users with an email address from one of these domains will be allowed to log in.
       • Essential claim: A specific key-value pair (e.g., "rh-approved": "true") that must be present in a user’s token from the IdP to grant them access. In this configuration, the customer takes on the responsibility for implementing FIPS 140-2 validated MFA.