UNCLASSIFIED - NO CUI

Skip to content

SSO Refactor for Global IdP values

Michael McLeroy requested to merge sso_2.0 into master

Package Merge Request

Package Changes

Summary

When upgrading, the following changes may affect SSO:

  • Values related to the Identity Provider paths, certificates, and OIDC claims were deprecated and replaced with a set of global values. Deprecated values will still work, but you will see a deprecation notice in the Helm upgrade notes. See the values.yaml for details on new values.
  • (ArgoCD, GitLab, Grafana, Sonarqube): Login button label (name) is global and defaults to SSO.
  • (Authservice): When jwksUri and jwks are both defined, jwksUri takes precedence (previously, jwks took precedence).
  • (Authservice, Logging): Defaults expanded for URL endpoints and claim names to support global values and non-keycloak identity providers.

Details

ArgoCD

  • default OIDC name changed from blank to SSO. This changes the login button label.

Authservice

  • Preferences jwksUri over jwks if both are defined. Previously jwks was preferred. This allows jwks to be dynamically updated if both are defined.
  • issuer_uri, authorization_uri, token_uri, logout_redirect_uri will be populated globally and per chain when the new values are used. This eliminates the need to populate oidc.host and oidc.realm and provides support for non-keycloak identity providers.

GitLab

  • default label changed from blank to SSO. This changes the login button label.
  • client_options: identifier and secret no longer default to global sso values. Those values are reserved for authservice use and should not have been used as defaults.

Grafana

  • default name changed from blank (which resulted in an "OAuth" label) to SSO. This changes the login button label.

Logging

  • issuer, auth_url, token_url, userinfo_url, endsession_url and jwkset_url will be populated when new values are used. This eliminates the need to populate oidc.host and oidc.realm and provides support for non-keycloak identity providers.
  • Default claim names for principal, groups, and mail are populated with typical values from Keycloak and can be overridden in global variables.

Sonarqube

  • default providerName changed from blank to SSO.

Twistlock

  • default provider_name changed from blank to SSO.

Package MR

No package changes

For Issue

Closes #1361 (closed)

Edited by Michael McLeroy

Merge request reports

UNCLASSIFIED - NO CUI