I am attempting to setup OIDC authentication against Okta by starting with the documented Keyclock configuration and making the needed changes. I am running Foreman 3.1.1.2 [Satellite 6.11.1.1].
Here is my configuration so far.
# /etc/httpd/conf.d/foreman-openidc_oidc_keycloak_ssl-realm.conf
OIDCClientID <redacted>
OIDCProviderMetadataURL https://<redacted>.okta.com/oauth2/default/.well-known/openid-configuration
OIDCCryptoPassphrase <redacted>
OIDCClientSecret <redacted>
OIDCRedirectURI https://<redacted>/users/extlogin/redirect_uri
OIDCRemoteUserClaim email
OIDCOAuthRemoteUserClaim email
OIDCScope "openid email profile"
<Location /users/extlogin>
AuthType openid-connect
Require valid-user
LogLevel debug
RequestHeader set REMOTE_USER %{OIDC_CLAIM_email}e
RequestHeader set REMOTE_USER_EMAIL %{OIDC_CLAIM_email}e
RequestHeader set REMOTE_USER_FIRSTNAME %{OIDC_CLAIM_given_name}e
RequestHeader set REMOTE_USER_LASTNAME %{OIDC_CLAIM_family_name}e
</Location>
with the following configuration in Foreman
# hammer setting list --search oidc
---------------|----------------|---------------------------------------------------|---------------------------------------------------------------------------------
NAME | FULL NAME | VALUE | DESCRIPTION
---------------|----------------|---------------------------------------------------|---------------------------------------------------------------------------------
oidc_jwks_url | OIDC JWKs URL | https://<redacted>.okta.com/oauth2/default/v1/keys | OpenID Connect JSON Web Key Set(JWKS) URL. Typically https://keycloak.example...
oidc_audience | OIDC Audience | ["api://default"] | Name of the OpenID Connect Audience that is being used for Authentication. In...
oidc_issuer | OIDC Issuer | https://<redacted>.okta.com/oauth2/default | The iss (issuer) claim identifies the principal that issued the JWT, which ex...
oidc_algorithm | OIDC Algorithm | RS256 | The algorithm used to encode the JWT in the OpenID provider.
---------------|----------------|---------------------------------------------------|---------------------------------------------------------------------------------
# hammer setting list --search delegation
-------------------------------------------------------|--------------------------------------------------------|----------------------------------------------------|---------------------------------------------------------------------------------
NAME | FULL NAME | VALUE | DESCRIPTION
-------------------------------------------------------|--------------------------------------------------------|----------------------------------------------------|---------------------------------------------------------------------------------
login_delegation_logout_url | Login delegation logout URL | https://<redacted>/users/extlogout | Redirect your users to this url on logout (authorize_login_delegation should ...
authorize_login_delegation_auth_source_user_autocreate | Authorize login delegation auth source user autocreate | External | Name of the external auth source where unknown externally authentication user...
authorize_login_delegation | Authorize login delegation | true | Authorize login delegation with REMOTE_USER HTTP header
authorize_login_delegation_api | Authorize login delegation API | true | Authorize login delegation with REMOTE_USER HTTP header for API calls too
-------------------------------------------------------|--------------------------------------------------------|----------------------------------------------------|---------------------------------------------------------------------------------