-
Bug
-
Resolution: Unresolved
-
Critical
-
None
-
4.18.z
-
None
-
Quality / Stability / Reliability
-
False
-
-
None
-
Important
-
None
-
None
-
None
-
None
-
Customer Escalated, Customer Facing
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
The cluster is configured with the Azure AD EntraID as OpenID Identity Provider.
The login works and the configuration is set to receive the groups from the OpenID.
///
openID:
claims:
email:
- email
groups:
- groups
name:
- name
preferredUsername:
- preferred_username
///
However, when the userInfo is synced from the OpenID, the multiple groups are returned with the GID/GUID (per comment [1] I believe it is guid) in a format that OCP interprets as long string, creating 1 group with long name, instead of 3 groups with GUID.
///
I1028 09:08:16.428172 1 openid.go:220] identity=&api.DefaultUserIdentityInfo{ProviderName:"azure", ProviderUserName:"CLEANED", ProviderGroups:[]string{"[\"CLEANED-d414-4f33-b6ec-CLEANED\",\"CLEANED-bc60-42d3-9d95-CLEANED\",\"CLEANED-bfc3-4a13-a339-CLEANED\"]"},....."
The group is then created with one single name:
name: ["CLEANED-d414-4f33-b6ec-CLEANED","CLEANED-bc60-42d3-9d95-CLEANED","CLEANED-bfc3-4a13-a339-CLEANED"]
Is this expected behavior?
As the group sync through the group names is not supported/working, does the sync with the GID/GUID is expected to work?
[1] https://issues.redhat.com/browse/AUTH-10?focusedId=24404711&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-24404711
Version-Release number of selected component (if applicable):
OpenShift Container Platform 4.18.22 EntraID OpenID provider
How reproducible:
n/a
Steps to Reproduce:
1.
2.
3.
Actual results:
Expected results:
Additional info: