 Hi, my name is Paul Gattas, and I'm with the Cloud Platforms business unit here at Red Hat. Today, I'm going to show you how to specify and configure an identity provider with OpenShift 4 by creating a custom resource that describes that identity provider and then add it to the cluster. From there, OAuth facilitates a token exchange flow between OpenShift container platform and the IDP. As I was introducing myself, I was actually running the installer to install my OpenShift 4 cluster on AWS platform. As you can see, the cluster is ready, and I'm going to go ahead and log in with the Kube Admin user. Now that we've logged in, I want you to notice that you can see that by default, only a Kube Admin user exists on your cluster. Now, it's important to note that you can configure many types of identity providers with the built-in OAuth server that comes with OpenShift. But for this demo, I'm going to configure HT Password as an IDP to validate the user names and passwords against a flat file generated using HT Password. And then I'm going to configure GitHub as an identity provider to validate the user names and passwords against GitHub's OAuth authentication server. Now, to use GitHub as an identity provider, we must register OpenShift as an OAuth application with GitHub. To do so, we go to the menu, settings, and then from there, we're going to scroll all the way down to developer settings, as you can see here. And then we're going to click on new OAuth application. Then we're going to give it a name, try to make it as descriptive as possible. From here, you need to enter the full URL for your application homepage. I'm just going to type in your API server for now. And then the authorization callback is the same as your homepage URL with the identity provider name appended towards the end of the URL. Now you can see we have a client ID as well as a client secret. These values are very important for us to complete the identity provider configuration. And now that we have these values, we can actually go back to our OpenShift cluster and create our OpenShift secret. To do so, we're going to go to workloads, secrets, and click on create key value secret for the GUI. Or we can go to the terminal and run a single command. And this command is saying I'm going to go ahead and create a secret with the name GitHub-secret. And I'm going to embed the client secret that GitHub has provided me with into this GitHub, into this OpenShift secret. Now that we have created our OpenShift secret, our next step is to create a CR or a custom resource that describes the identity provider. Let's take a look at our custom resource. First of all, we can see that the client is set to OAuth. If we navigate down to identity providers under spec, we can see we gave it the name of the identity provider. You can see that the challenge is set to false because GitHub does not support basic auth challenge headers for unauthenticated token requests coming from non-web clients. The login is set to true because we want unauthenticated token requests from web clients like the web console to be redirected to a login page backed by this provider. Now the mapping method is set to claim. The type is GitHub. And then under GitHub, we're going to go ahead and add the client ID. This is a fake client ID that I'm adding here from my fake application. I'm not using my actual client ID that I'm using for this demo for security reasons. And then we have our client secret that is embedded within our OpenShift secret called GitHub-secret that we just created together. So now all we have left for us to do really is to apply our GitHub custom resource that we just created. And there you go. We can actually see that the cluster resource has been configured. So we can go ahead and clear the terminal and navigate back to our console to take a look. Before checking on the cluster OAuth configuration, I'm going to go ahead and check on our GitHub secret under the OpenShift-config namespace to make sure that it's there. We can actually see that we have the client secret embedded. You can take a look at it in YAML format as well. Looks good. So now we can go ahead and navigate to our cluster OAuth config. From here you can actually see that GitHub is under the list of identity providers. Again, you can actually look at it in YAML format and also notice that GitHub is under the list of identity providers. This is good. So now before we move forward, we can actually go ahead and set up HDPassword as an identity provider, but now using a different method, we're just going to use the GUI. The mapping method is similar to GitHub Claim, but now all we have to do is upload our HDPassword file to OpenShift and click on Add. From here you can actually see now we have both identity providers listed under the list of identity providers in our OAuth configuration. This is great. So we can click on Save. But before we continue any further and check and make sure that HDPassword SQL is created, we're going to go back to Workloads, Pods and Navigate to our OpenShift-authentication namespace to make sure that our pods are actually ready and up and running. As you can see that the pods are in the process of getting ready. So we're going to give them a second and there you go. Let's go ahead and click on one of the pods and take a look at it and make sure that everything is good to us. There you go. You can notice that this was created less than a minute ago right now. That means it's up to date. This is good. Everything is good to me. So now we can go ahead and go back to the OpenShift-config namespace to make sure that we also have the HDPassword secret alongside the GitHub secret. And there you go. We have both secrets together. This is perfect. One last look at our cluster-auth.config to make sure that everything looks good. And now from here all that is left for us to do is to actually log out of our cluster. And now you can see we have three different methods. You can log in as kube-admin, leverage-github or HDPassword. But before we log in through HDPassword, let me open that file for you and show you what's inside. There's one user in this case and the username is PaulGH. What I'm going to do next is essentially when I log in through the console, I'm going to type HD, click on HDPassword and I will be using this user to authenticate against OpenShift. Click on log in and you can see there we go. We can actually log in with a different user called PaulGH and that's the same user inside my HDPassword file. If I click on GitHub, you can see we were redirected and now I'm logged in with my GitHub credentials seamlessly into my OpenShift 4 cluster.