Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-4118

Aggregated and Distributed Claims support in OpenShift Container Platform 4 for OpenID

    XMLWordPrintable

Details

    • False
    • None
    • False
    • Not Selected
    • 0
    • 0% 0%

    Description

      1. Proposed title of this feature request
      Aggregated and Distributed Claims support in OpenShift Container Platform 4 for OpenID

      2. What is the nature and description of the request?
      In OpenShift Container Platform 4.10, we did implement Syncing group membership from OpenID Connect identity providers. This works great but for example in Azure AD is facing some limitation as Azure AD is limiting number of groups part of the token to 200 to keep the size of the token at a reasonable level.

      Instead, they are offering Aggregated and Distributed Claims to fetch the group members via a specific API from the authenticated user. That prevents large token being sent and still makes sure all required groups will be made available.

      3. Why does the customer need this? (List the business requirements here)
      Given that OpenShift Container Platform 4 is used in large enterprise environments, that are more and more adopting Azure AD, it's definitely expected that users with more than 200 group membership will eventually start using OpenShift Container Platform 4 but then face a problem because groups may be truncated from the token and thus not be available, limiting access and functionality in OpenShift Container Platform 4.

      To prevent this from happening, we should provide support for Aggregated and Distributed Claims in OpenShift Container Platform 4 and it's OpenID support to make sure all possible sizes and variations found at customers are going to work and won't limit users in functionality and access.

      4. List any affected packages or components.

      • oauth-server
      • oauth-apiserver

      Attachments

        Issue Links

          causes

          Feature Request - Feature requests from customers and/or users RFE-4576 Offer Group Sync Operator as part of OpenShift Container Platform Subscription and support/maintain it

          • Critical - To be worked on immediately following BLOCKER issues.
          • Rejected
          duplicates

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. AUTH-10 Azure Active Directory OIDC

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          is related to

          Feature Request - Feature requests from customers and/or users RFE-106 Automate group / membership from external IdP

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • Accepted

          Activity

            People

              atelang@redhat.com Anjali Telang
              rhn-support-sreber Simon Reber
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: