Skip to content

6.12 addendum for Okta and Entra ID #4220

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Apr 3, 2025
Merged

6.12 addendum for Okta and Entra ID #4220

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
5f68dee
6.12 okta-entra-update
nasirhussenm Jan 29, 2025
168ac0d
Update content/sensu-go/6.12/operations/control-access/oidc-auth.md
jhenderson-pro Jan 30, 2025
0b00ea6
Update content/sensu-go/6.12/operations/control-access/oidc-auth.md
jhenderson-pro Jan 30, 2025
8a78331
Update content/sensu-go/6.12/operations/control-access/oidc-auth.md
jhenderson-pro Jan 30, 2025
5c099a5
Update oidc-auth.md
nasirhussenm Apr 3, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
128 changes: 111 additions & 17 deletions content/sensu-go/6.12/operations/control-access/oidc-auth.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,8 +44,8 @@ spec:
additional_scopes:
- groups
- email
client_id: a8e43af034e7f2608780
client_secret: b63968394be6ed2edb61c93847ee792f31bf6216
client_id: Your client ID
client_secret: Your client secret
disable_offline_access: false
redirect_uri: http://127.0.0.1:8080/api/enterprise/authentication/v2/oidc/callback
server: https://oidc.example.com:9031
Expand All @@ -67,8 +67,8 @@ spec:
"groups",
"email"
],
"client_id": "a8e43af034e7f2608780",
"client_secret": "b63968394be6ed2edb61c93847ee792f31bf6216",
"client_id": "Your client ID",
"client_secret": "Your client secret",
"disable_offline_access": false,
"redirect_uri": "http://sensu-backend.example.com:8080/api/enterprise/authentication/v2/oidc/callback",
"server": "https://oidc.example.com:9031",
Expand Down Expand Up @@ -148,8 +148,8 @@ spec:
additional_scopes:
- groups
- email
client_id: a8e43af034e7f2608780
client_secret: b63968394be6ed2edb61c93847ee792f31bf6216
client_id: Your client ID
client_secret: Your client secret
disable_offline_access: false
redirect_uri: http://sensu-backend.example.com:8080/api/enterprise/authentication/v2/oidc/callback
server: https://oidc.example.com:9031
Expand All @@ -165,8 +165,8 @@ spec:
"groups",
"email"
],
"client_id": "a8e43af034e7f2608780",
"client_secret": "b63968394be6ed2edb61c93847ee792f31bf6216",
"client_id": "Your client ID",
"client_secret": "Your client secret",
"disable_offline_access": false,
"redirect_uri": "http://sensu-backend.example.com:8080/api/enterprise/authentication/v2/oidc/callback",
"server": "https://oidc.example.com:9031",
Expand Down Expand Up @@ -199,6 +199,23 @@ name: oidc_provider

#### OIDC spec attributes

| provider | |
-------------|------
description | A unique string used to identify the OIDC provider. The name cannot contain special characters or spaces (validated with Go regex [`\A[\w\.\-]+\z`][42]).
required | true
type | String
allowed values | `Okta`, `PingFederate`, `EntraID`
example | {{< language-toggle >}}
{{< code yml >}}
provider: Okta
{{< /code >}}
{{< code json >}}
{
"provider": "Okta"
}
{{< /code >}}
{{< /language-toggle >}}

| additional_scopes | |
-------------|------
description | Scopes to include in the claims, in addition to the default `openid` scope. {{% notice note %}}
Expand Down Expand Up @@ -233,11 +250,11 @@ required | true
type | String
example | {{< language-toggle >}}
{{< code yml >}}
client_id: 1c9ae3e6f3cc79c9f1786fcb22692d1f
client_id: Your client ID
{{< /code >}}
{{< code json >}}
{
"client_id": "1c9ae3e6f3cc79c9f1786fcb22692d1f"
"client_id": "Your client ID"
}
{{< /code >}}
{{< /language-toggle >}}
Expand All @@ -251,11 +268,11 @@ required | true
type | String
example | {{< language-toggle >}}
{{< code yml >}}
client_secret: a0f2a3c1dcd5b1cac71bf0c03f2ff1bd
client_secret: Your client secret
{{< /code >}}
{{< code json >}}
{
"client_secret": "a0f2a3c1dcd5b1cac71bf0c03f2ff1bd"
"client_secret": "Your client secret"
}
{{< /code >}}
{{< /language-toggle >}}
Expand Down Expand Up @@ -456,11 +473,12 @@ api_version: authentication/v2
metadata:
name: okta
spec:
provider: Okta
additional_scopes:
- groups
- email
client_id: 4sd5jxiwxfvg82PoZ5d7
client_secret: r78316494besnNCmtmEBnS47ee792f31bf6216
client_id: Your client ID
client_secret: Your client secret
redirect_uri: http://127.0.0.1:8080/api/enterprise/authentication/v2/oidc/callback
server: https://dev-459543913.okta.com
disable_offline_access: false
Expand All @@ -475,15 +493,16 @@ spec:
"type": "oidc",
"api_version": "authentication/v2",
"metadata": {
"name": "okta"
"name": "Okta"
},
"spec": {
"provider": "Okta",
"additional_scopes": [
"groups",
"email"
],
"client_id": "4sd5jxiwxfvg82PoZ5d7",
"client_secret": "r78316494besnNCmtmEBnS47ee792f31bf6216",
"client_id": "Your client ID",
"client_secret": "Your client secret",
"redirect_uri": "http://127.0.0.1:8080/api/enterprise/authentication/v2/oidc/callback",
"server": "https://dev-459543913.okta.com",
"disable_offline_access": false,
Expand All @@ -497,6 +516,81 @@ spec:

{{< /language-toggle >}}

## Register an Entra ID application

To use Entra ID for authentication, register Sensu Go as an OIDC web application.
Before you start, install Sensu Go with a valid commercial license and make sure you have access to the EntraID Administrator Dashboard.

Follow the steps in this section to create an Entra ID application and configure an Entra ID OIDC provider in Sensu.

### Create an Entra ID application

1. Create a `user` with required fields.
2. Create a group and assign the `group` name to match the `group created` in `Sensu`. For example, Sensu creates a default group called `cluster-admins`, which is assigned to the `default user admin`.
3. Register an application in `Entra ID`.
4. In the Certificates & Secrets section, generate a `client ID` and `secret`.
5. In the Token Configuration section, `add` a `group claim` to the application.
6. In the API Permissions section, add the following Microsoft Graph API permissions:
- `Directory.Read.All`
- `User.Read`
7. The provider in the OIDC file should be set to `EntraID`.

### Configure an Entra ID OIDC provider

Your Entra ID OIDC provider configuration should be similar to this example:

{{< language-toggle >}}

{{< code yml >}}
---
type: oidc
api_version: authentication/v2
metadata:
name: EntraID
spec:
provider: EntraID
additional_scopes:
- groups
- email
client_id: Your client ID
client_secret: Your client secret
redirect_uri: http://127.0.0.1:8080/api/enterprise/authentication/v2/oidc/callback
server: https://dev-459543913.com
disable_offline_access: false
groups_claim: groups
username_claim: email
groups_prefix: 'oidc:'
username_prefix: 'oidc:'
{{< /code >}}

{{< code json >}}
{
"type": "oidc",
"api_version": "authentication/v2",
"metadata": {
"name": "EntraID"
},
"spec": {
"provider": "EntraID",
"additional_scopes": [
"groups",
"email"
],
"client_id": "Your client ID",
"client_secret": "Your client secret",
"redirect_uri": "http://127.0.0.1:8080/api/enterprise/authentication/v2/oidc/callback",
"server": "https://dev-459543913.com",
"disable_offline_access": false,
"groups_claim": "groups",
"username_claim": "email",
"groups_prefix": "oidc:",
"username_prefix": "oidc:"
}
}
{{< /code >}}

{{< /language-toggle >}}

## Configure authorization for OIDC users

Configure [authorization][3] via role-based access control (RBAC) for your OIDC users and groups by creating [roles (or cluster roles)][4] and [role bindings (or cluster role bindings)][13] that map to the user and group names.
Expand Down