OpenUnison / openunison-k8s

Access portal for Kubernetes
Apache License 2.0
105 stars 5 forks source link

SSO login page each time #94

Closed mysiki closed 10 months ago

mysiki commented 11 months ago

Hello,

I have few k8s cluster with openunission deploy on each with Azure AD SSO. Each openunission use different Azure application under the same EntraID. The SSO work well but I need to login on each k8s event if I'm already login, the SSO token seems not be use by openunission.

I use std configuration describe in documentation. Can you give me some help to understand and setup correctly openunission in order to reuse existing token ?

Nota : I have many other application under the SSO that work corretly.

I can provide configuration if needed, just ask me what you need.

mlbiam commented 10 months ago

sorry for not getting back sooner.

It sounds like you have a single openunison for each cluster, all integrated directly into azuread?

mysiki commented 10 months ago

Hey, no problem.

I have one openunison by cluster (so 5 cluster, 5 openunison), all the openunison are integrated into azure AD under the same EntraID.

Each openunison have her own Entreprise App in entraID. It seems than openunison always request to refresh the token without using the existing one.

Take not than when an openunison in connected, it ok for himeself.

example :

Maybe I miss someting in configuration to allow it to use the existing token.

mlbiam commented 10 months ago

Got it. By default, we force re-authentication in our integration with oidc identity providers which is why even though you already have a session with Entra you are asked to authenticate again when accessing another cluster. Try setting oidc.forceauthentication: false in your values.yaml and re-deploy.

mysiki commented 10 months ago

👍 Work like a charm ! Thx