docs/steps-configure-openid-external-identity-management.rst at main

minio/docs

mirror of https://github.com/minio/docs.git synced 2025-11-06 03:49:02 +03:00

Files

Ravind Kumar 571f188a4e Attempting to reduce docs to single platform (#1258 )

##

We are going to make the following changes to the Object Store docs as
part of a larger QC/Content pass:

### Left Navigation

We want to modify the left navigation flow to be a natural progression
from a basic setup to more advanced.

For example:

- Core Concepts
  - Deployment Architecture
  - Availability and Resiliency
  - Erasure Coding and Object Healing
  - Object Scanner
  - Site Replication and Failover
  - Thresholds and Limits
- Installation
  - Deployment Checklist
  - Deploy MinIO on Kubernetes
  - Deploy MinIO on Red Hat Linux
  - Deploy MinIO on Ubuntu Linux
  - Deploy MinIO for Development (MacOS, Windows, Container)
- Security and Encryption (Conceptual Overview)
  - Network Encryption (TLS) (Conceptual overview)
    - Enable Network Encryption using Single Domain
    - Enable Network Encryption using Multiple Domains
    - Enable Network Encryption using certmanager (Kubernetes only)
  - Data Encryption (SSE) (Conceptual overview)
    - Enable SSE using AIStor Key Management Server
    - Enable SSE using KES (Summary page + linkouts)
  - External Identity Management (Conceptual Overview)
    - Enable External Identity management using OpenID
    - Enable External Identity management using AD/LDAP
- Backup and Recovery
  - Create a Multi-Site Replication Configuration
  - Recovery after Hardware Failure
    - Recover after drive failure
    - Recover after node failure
    - Recover after site failure
- Monitoring and Alerts
  - Metrics and Alerting (v3 reference)
    - Monitoring and Alerting using Prometheus
    - Monitoring and Alerting using InfluxDB
    - Monitoring and Alerting using Grafana
    - Metrics V2 Reference
  - Publish Server and Audit Logs to External Services
  - MinIO Healthcheck API

The Administration, Developer, and Reference sections will remain as-is
for now.

http://192.241.195.202:9000/staging/singleplat/mindocs/index.html

# Goals

Maintaining multiple platforms is getting to be too much, and based on
analytics the actual number of users taking advantage of it is minimal.

Furthermore, the majority of traffic is to installation pages.

Therefore we're going to try to collapse back into a single MinIO Object
Storage product, and use simple navigation and on-page selectors to
handle Baremetal vs Kubernetes.

This may also help to eventually stage us to migrate to Hugo + Markdown

---------

Co-authored-by: Daryl White <53910321+djwfyi@users.noreply.github.com>
Co-authored-by: Rushan <rushenn@minio.io>
Co-authored-by: rushenn <rushenn123@gmail.com>

2025-07-30 12:33:02 -04:00

6.2 KiB

Raw Permalink Blame History

Set the OpenID Configuration Settings

You can configure the OIDC (OpenID Connect) provider using either environment variables or server runtime configuration settings. Both methods require starting/restarting the MinIO deployment to apply changes. The following tabs provide a quick reference of all required and optional environment variables and configuration settings respectively:
Environment Variables

MinIO supports specifying the OIDC (OpenID Connect) provider settings using environment variables <minio-server-envvar-external-identity-management-openid>. The minio server process applies the specified settings on its next startup. For distributed deployments, specify these settings across all nodes in the deployment using the same values consistently.

The following example code sets all environment variables related to configuring an OIDC (OpenID Connect) provider for external identity management. The minimum required variable is MINIO_IDENTITY_OPENID_CONFIG_URL:
```
export MINIO_IDENTITY_OPENID_CONFIG_URL="https://openid-provider.example.net/.well-known/openid-configuration"
export MINIO_IDENTITY_OPENID_CLIENT_ID="<string>"
export MINIO_IDENTITY_OPENID_CLIENT_SECRET="<string>"
export MINIO_IDENTITY_OPENID_CLAIM_NAME="<string>"
export MINIO_IDENTITY_OPENID_CLAIM_PREFIX="<string>"
export MINIO_IDENTITY_OPENID_SCOPES="<string>"
export MINIO_IDENTITY_OPENID_REDIRECT_URI="<string>"
export MINIO_IDENTITY_OPENID_COMMENT="<string>"
```
Replace the MINIO_IDENTITY_OPENID_CONFIG_URL with the URL endpoint of the OIDC (OpenID Connect) provider discovery document.

For complete documentation on these variables, see minio-server-envvar-external-identity-management-openid
Configuration Settings

MinIO supports specifying the OIDC (OpenID Connect) provider settings using configuration settings <identity_openid>. The minio server process applies the specified settings on its next startup. For distributed deployments, the mc admin config command applies the configuration to all nodes in the deployment.

The following example code sets all configuration settings related to configuring an OIDC (OpenID Connect) provider for external identity management. The minimum required setting is identity_openid config_url <identity_openid.config_url>:
```
mc admin config set ALIAS/ identity_openid \
   config_url="https://openid-provider.example.net/.well-known/openid-configuration" \
   client_id="<string>" \
   client_secret="<string>" \
   claim_name="<string>" \
   claim_prefix="<string>" \
   scopes="<string>" \
   redirect_uri="<string>" 
```
Replace the config_url with the URL endpoint of the OIDC (OpenID Connect) provider discovery document.

For more complete documentation on these settings, see identity_openid.
Restart the MinIO Deployment

You must restart the MinIO deployment to apply the configuration changes. Use the mc admin service restart command to restart the deployment.
```
mc admin service restart ALIAS
```
Replace ALIAS with the alias <alias> of the deployment to restart.
Generate S3-Compatible Temporary Credentials using OIDC Credentials

MinIO requires clients authenticate using AWS Signature Version 4 protocol <sig-v4-authenticating-requests.html> with support for the deprecated Signature Version 2 protocol. Specifically, clients must present a valid access key and secret key to access any S3 or MinIO administrative API, such as PUT, GET, and DELETE operations.

Applications can generate temporary access credentials as-needed using the minio-sts-assumerolewithwebidentity Security Token Service (STS) API endpoint and the JSON Web Token (JWT) returned by the OIDC (OpenID Connect) provider.

The application must provide a workflow for logging into the OIDC (OpenID Connect) provider and retrieving the JSON Web Token (JWT) associated to the authentication session. Defer to the provider documentation for obtaining and parsing the JWT token after successful authentication. MinIO provides an example Go application web-identity.go <minio/blob/master/docs/sts/web-identity.go> with an example of managing this workflow.

Once the application retrieves the JWT token, use the AssumeRoleWithWebIdentity endpoint to generate the temporary credentials:
```
POST https://minio.example.net?Action=AssumeRoleWithWebIdentity
&WebIdentityToken=TOKEN
&Version=2011-06-15
&DurationSeconds=86400
&Policy=Policy
```
- Replace the TOKEN with the JWT token returned in the previous step.
- Replace the DurationSeconds with the duration in seconds until the temporary credentials expire. The example above specifies a period of 86400 seconds, or 24 hours.
- Replace the Policy with an inline URL-encoded JSON policy <minio-policy> that further restricts the permissions associated to the temporary credentials.
  
  Omit to use the policy associated to the OpenID user policy claim <minio-external-identity-management-openid-access-control>.
The API response consists of an XML document containing the access key, secret key, session token, and expiration date. Applications can use the access key and secret key to access and perform operations on MinIO.

See the minio-sts-assumerolewithwebidentity for reference documentation.

6.2 KiB Raw Permalink Blame History

6.2 KiB

Raw Permalink Blame History