Rewrite Cond % ^/challenging-proxy Rewrite Cond % ^$ [NC] Rewrite Rule ^.* - [F, L] # Insert your backend server name/ip here.
Proxy Pass https://[MASTER]:8443/oauth/authorize # mod_auth_form providers are implemented by mod_authn_dbm, mod_authn_file, # mod_authn_dbd, mod_authnz_ldap and mod_authn_socache. (object Class=*)" # It's possible to remove the mod_auth_form usage and replace it with # something like mod_auth_kerb, mod_auth_gssapi or even mod_auth_mellon.
When running a master without a configuration file, the Allow All identity provider is used by default, which allows any non-empty user name and password to log in. To use other identity providers, or to modify any token, grant, or session options, you must run the master from a configuration file.
# Available variables for configuring certificates for other identity providers: #openshift_master_openid_ca #openshift_master_openid_ca_file #openshift_master_request_header_ca #openshift_master_request_header_ca_file You can configure the master host for authentication using your desired identity provider by modifying the master configuration file.
Otherwise, any direct request to the OAuth server can impersonate any identity from this provider, merely by setting a request header. identity Providers: - name: my_request_header_provider (1) challenge: true (2) login: true (3) mapping Method: claim (4) provider: api Version: v1 kind: Request Header Identity Provider challenge URL: "https:// $" (6) client CA: /path/to/(7) client Common Names: (8) - my-auth-proxy headers: (9) - X-Remote-User - SSO-User email Headers: (10) - X-Remote-User-Email name Headers: (11) - X-Remote-User-Display-Name preferred Username Headers: (12) - X-Remote-User-Login Optional: PEM-encoded certificate bundle.
If set, a valid client certificate must be presented and validated against the certificate authorities in the specified file before the request headers are checked for user names.
Using this method requires you to manually provision users.This is similar to how the remote user plug-in in Open Shift Enterprise 2 allowed administrators to provide Kerberos, LDAP, and many other forms of enterprise authentication.parameter MUST be set for this identity provider, so that incoming requests are checked for a valid client certificate before the request’s headers are checked for a user name.You can integrate your Open Shift Origin cluster with Keystone to enable shared authentication with an Open Stack Keystone v3 server configured to store users in an internal database.Once configured, this configuration allows users to log in to Open Shift Origin with their Keystone credentials.