This was pieced together by reading documentation and some other blog posts.
PingFederate Config:
I didn’t have access to this and just work with our enterprise admin but the big thing was the delimited on the groups claim. Foreman is hard coded to expect : as the delimiter and by default our pingfederate was sending commas.
But what you’ll need from your admin:
Client ID
Client Secret
OIDCProviderMetadataURL (for example our was https://idp.example.com/.well-known/openid-configuration )
Things you’ll need to send your admin:
OIDCRedirectURI ( https://satellite.example.com/users/extlogin/redirect_uri )
Foreman Config:
Install the OIDC module:
dnf install mod_auth_openidc --disableplugin=foreman-protector
Tell foreman to create a config file for OIDC
satellite-installer --foreman-keycloak true --foreman-keycloak-app-name “foreman-openidc” --foreman-keycloak-realm “Satellite_Realm”
the edit your new file
/etc/httpd/conf.d/foreman-openidc_oidc_keycloak_Satellite_Realm.conf
OIDCCryptoPassphrase <random-string>
OIDCRedirectURI https://satellite.example.com/users/extlogin/redirect_uri
OIDCProviderMetadataURL https://idp.example.com/.well-known/openid-configuration
OIDCClientID <application-ID>
OIDCClientSecret <application-secret>
OIDCScope "openid email profile"
OIDCResponseType code
OIDCRemoteUserClaim preferred_username
<Location /users/extlogin>
AuthType openid-connect
Require valid-user
LogLevel debug
RequestHeader unset OIDC_access_token
RequestHeader unset OIDC_access_token_claims
RequestHeader set REMOTE_USER %{OIDC_CLAIM_preferred_username}e
RequestHeader set REMOTE_USER_EMAIL %{OIDC_CLAIM_email}e
RequestHeader set REMOTE_USER_FIRSTNAME %{OIDC_CLAIM_given_name}e
RequestHeader set REMOTE_USER_LASTNAME %{OIDC_CLAIM_family_name}e
RequestHeader set REMOTE_USER_GROUPS %{OIDC_CLAIM_groups}e
</Location>
If you use custom claims that are different from the above you would swap the OIDC_CLAIM_$CUSTOM_CLAIM_NAME
App config:
Navigate to Administer → Settings → Authentication in the Foreman Web UI, and configure
the following settings;
Authorize login delegation = Yes
Authorize login delegation auth source user autocreate = External
OIDC JWKs URL = https://idp.example.com/pf/JWKS
OIDC Audience = application-ID
OIDC Issuer = https://idp.example.com
OIDC Algorithm = RS256
I was able to find the JWKs URL by looking at the https://idp.example.com/.well-known/openid-configuration and finding the “jwks_uri” value
Restart apache and foreman
systemctl restart httpd
systemctl restart foreman