Authentication Provider Setup Guides
This document provides setup instructions for each supported authentication provider.
Overview
The Greenfield Cluster supports the following authentication providers:
- Azure AD - Microsoft Azure Active Directory (OIDC)
- Google - Google Workspace / Gmail (OIDC)
- GitHub - GitHub Organizations (OAuth2)
- Okta - Okta SAML via Keycloak broker
- Keycloak - Self-hosted identity provider
graph LR
subgraph "OIDC Providers (Direct)"
AzureAD[Azure AD]
Google[Google]
GitHub[GitHub]
end
subgraph "SAML Provider (via Broker)"
Okta[Okta SAML]
Keycloak[Keycloak Broker]
Okta --> Keycloak
end
subgraph "Primary IdP"
KeycloakPrimary[Keycloak Primary]
end
subgraph "Cluster Auth Layer"
OAuth2Proxy[oauth2-proxy]
end
AzureAD -.-> OAuth2Proxy
Google -.-> OAuth2Proxy
GitHub -.-> OAuth2Proxy
Keycloak -.-> OAuth2Proxy
KeycloakPrimary -.-> OAuth2Proxy
OAuth2Proxy --> Apps[Protected Applications]
style AzureAD fill:#e1f5ff
style Google fill:#e1f5ff
style GitHub fill:#e1f5ff
style Okta fill:#fff4e1
style Keycloak fill:#f3e5f5
style KeycloakPrimary fill:#f3e5f5
style OAuth2Proxy fill:#e1f5ff
style Apps fill:#e8f5e9
Quick Setup Matrix
| Provider | Setup Time | Complexity | Group Support | Best For |
|---|---|---|---|---|
| Azure AD | 15 min | Medium | Yes (with config) | Enterprises using Microsoft 365 |
| 10 min | Low | Limited | Startups using Google Workspace | |
| GitHub | 5 min | Very Low | Yes (org/teams) | Developer-focused organizations |
| Okta SAML | 30 min | High | Yes | Enterprises with existing Okta |
| Keycloak | 45 min | Very High | Yes | Full control requirements |
Azure AD Setup
Prerequisites
- Azure AD tenant
- Admin access to create App Registrations
Step-by-Step
-
Create App Registration
-
Note Configuration Values
- Application (client) ID
- Directory (tenant) ID
-
Create a client secret in "Certificates & secrets"
-
Configure Groups (Optional)
-
Deploy to Cluster
-
Update Configuration Edit
kustomize/base/auth/overlays/provider-azuread/configmap.yaml:
Testing
# Check deployment
kubectl get pods -n greenfield -l app=oauth2-proxy
# Test auth flow
curl -I https://myapp.example.com
# Should redirect to login.microsoftonline.com
Common Issues
- Groups not in token: Check API permissions and token configuration
- Redirect loop: Verify redirect URI matches exactly
- Invalid token: Check tenant ID in issuer URL
Google Setup
Prerequisites
- Google Cloud Project
- Google Workspace (for group support)
Step-by-Step
-
Create OAuth Credentials
-
Note Configuration Values
- Client ID (ends with .apps.googleusercontent.com)
-
Client secret
-
Deploy to Cluster
make auth.install PROVIDER=google DOMAIN=example.com # Create secrets kubectl create secret generic oauth2-proxy-secret \ --from-literal=client-id=YOUR_CLIENT_ID.apps.googleusercontent.com \ --from-literal=client-secret=YOUR_CLIENT_SECRET \ --from-literal=cookie-secret=$(openssl rand -base64 32 | head -c 32) \ -n greenfield -
Configure Domain Restriction (Optional)
Testing
# Check deployment
kubectl get pods -n greenfield -l app=oauth2-proxy
# Test auth flow
curl -I https://myapp.example.com
# Should redirect to accounts.google.com
Common Issues
- Domain restriction not working: Check OAUTH2_PROXY_GOOGLE_GROUP environment variable
- Groups not supported: Google OIDC doesn't provide groups; use domain restriction or service account
GitHub Setup
Prerequisites
- GitHub Organization (for team support)
- Admin access to create OAuth Apps
Step-by-Step
-
Create OAuth App
-
Note Configuration Values
- Client ID
-
Client secret
-
Deploy to Cluster
-
Configure Organization/Team (Optional) Edit
kustomize/base/auth/overlays/provider-github/configmap.yaml:
Testing
# Check deployment
kubectl get pods -n greenfield -l app=oauth2-proxy
# Test auth flow
curl -I https://myapp.example.com
# Should redirect to github.com/login/oauth
Common Issues
- Organization restriction not working: Check OAUTH2_PROXY_GITHUB_ORG environment variable
- Team access denied: Ensure user is member of specified team
- Private org members: User must authorize OAuth app to access private membership
Okta SAML Setup
Prerequisites
- Okta account with admin access
- PostgreSQL database (included in greenfield cluster)
Architecture
This setup uses Keycloak as a broker to convert Okta SAML to OIDC.
sequenceDiagram
participant User
participant Gateway as Istio Gateway
participant OAuth2 as oauth2-proxy
participant Keycloak
participant Okta as Okta SAML
User->>Gateway: 1. Request app
Gateway->>OAuth2: 2. Check auth
OAuth2->>User: 3. Redirect to Keycloak
User->>Keycloak: 4. Login request
Keycloak->>User: 5. Redirect to Okta
User->>Okta: 6. SAML login
Okta->>User: 7. SAML response
User->>Keycloak: 8. SAML assertion
Keycloak->>Keycloak: 9. Convert SAML→OIDC
Keycloak->>User: 10. OIDC token + redirect
User->>OAuth2: 11. OIDC callback
OAuth2->>OAuth2: 12. Create session
OAuth2->>User: 13. Redirect to app
User->>Gateway: 14. Access with session
Gateway->>Gateway: 15. Validate + forward
Step-by-Step
-
Deploy Keycloak
-
Create Secrets
# Keycloak admin kubectl create secret generic keycloak-admin-secret \ --from-literal=password=$(openssl rand -base64 32) \ -n greenfield # Keycloak database kubectl create secret generic keycloak-db-secret \ --from-literal=username=keycloak \ --from-literal=password=$(openssl rand -base64 32) \ -n greenfield # oauth2-proxy (client secret will be set later from Keycloak) kubectl create secret generic oauth2-proxy-secret \ --from-literal=client-id=oauth2-proxy \ --from-literal=client-secret=TEMPORARY \ --from-literal=cookie-secret=$(openssl rand -base64 32 | head -c 32) \ -n greenfield -
Configure Okta SAML App
Okta → Applications → Create App Integration - Sign-in method: SAML 2.0 - App name: Keycloak - Single sign on URL: https://keycloak.example.com/auth/realms/master/broker/okta/endpoint - Audience URI: https://keycloak.example.com/auth/realms/master Attribute Statements: - email → user.email - firstName → user.firstName - lastName → user.lastName - groups → user.groups (if group support needed) -
Configure Keycloak
# Access Keycloak admin kubectl port-forward -n greenfield svc/keycloak 8080:8080 # Open http://localhost:8080/auth # In Keycloak: # 1. Add Identity Provider (SAML v2.0) # - Alias: okta # - Service Provider Entity ID: https://keycloak.example.com/auth/realms/master # - Single Sign-On Service URL: (from Okta) # - Upload Okta signing certificate # # 2. Create OIDC Client # - Client ID: oauth2-proxy # - Access Type: confidential # - Valid Redirect URIs: https://auth.example.com/oauth2/callback # - Copy client secret # # 3. Configure Mappers # - Add group membership mapper # - Add SAML attribute mappers -
Update oauth2-proxy Secret
Testing
# Check deployments
kubectl get pods -n greenfield -l app=keycloak
kubectl get pods -n greenfield -l app=oauth2-proxy
# Test auth flow
curl -I https://myapp.example.com
# Should redirect to Keycloak, which redirects to Okta
Common Issues
- SAML assertion failed: Check certificate, SSO URL, Entity ID
- Groups not in token: Configure SAML attribute mapper and group mapper
- Redirect loop: Verify all URLs match (Okta, Keycloak, oauth2-proxy)
Keycloak as Primary IdP
Prerequisites
- PostgreSQL database (included in greenfield cluster)
Step-by-Step
-
Deploy Keycloak
-
Create Secrets
-
Access Admin Console
-
Configure Realms and Clients
- Create application-specific realms
- Configure OIDC clients
- Set up user federation (LDAP, AD)
- Configure identity brokering
Testing
# Check deployment
kubectl get pods -n greenfield -l app=keycloak
# Test realm availability
curl https://keycloak.example.com/auth/realms/master/.well-known/openid-configuration
Next Steps
After provider setup:
-
Protect an Application
-
Verify Configuration
-
Review Documentation
- Architecture
- Troubleshooting
- App Templates