PingID

This section will guide you through using PingID as an OIDC provider for Kubeflow.

What You’ll Need

Procedure

  1. From the home of your admin console go to Add Environment (in the top right corner of the page) -> Customer solution -> Next -> Next and create a new environment:

    Environment
    Environment Name <ENVIRONMENT>

    Replace <ENVIRONMENT> with the name of your environment, for example Kubeflow.

  2. Select your environment from the home page of your admin console.

  3. From your admin console go to Connections (it’s an icon in the left sidebar) -> Applications -> Add Application -> Web App -> OIDC, and create an application with the following settings:

    Application
    Application Name <APPLICATION_NAME>
    Authorized redirect URIs <FQDN>/authservice/oidc/callback
    Scopes
    • profile (Allows read-only access to the user’s personal information using OpenID Connect)
    • email (Allows read-only access to the user’s primary email address using OpenID Connect)
    User ID sub
    Refresh Token Enable the Refresh Token generation.

    Replace:

    • <APPLICATION_NAME> with the name of your application, for example Kubeflow.
    • <FQDN> with the public URL of your EKF installation, for example https://arrikto-cluster.apps.example.com.

    Important

    Ensure that you have enabled the Refresh Token generation for your PingOne application. PingOne applications do not generate Refresh Tokens with the default configurations.

    Enable Refresh Token generation

    1. Log in to the PingOne admin console.

    2. Click on your application environment.

      ../../_images/environments.png
    3. Click on the Connections tab on the left side menu and then select the Applications tab.

      ../../_images/connections.png
    4. Click on your PingOne application.

      ../../_images/application.png
    5. Click on the Configuration tab.

      ../../_images/configuration.png
    6. Click on the pencil icon to modify the configurations of your application.

    7. Expand the GENERAL dropdown menu.

    8. Check the Refresh Token option.

      ../../_images/refresh-token.png
    9. Click on the Save button.

  4. From your admin console go to Connections -> Applications, then find your application and click on the slide button to activate it and enable user access to it.

  5. Expand the application info using the drop-down button at the right side of the application window, if it’s not expanded already.

  6. Click on the Configuration tab and copy the following info, which will be used in the next steps:

    • ISSUER
    • CLIENT ID
    • CLIENT SECRET
  7. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:/# cd ~/ops/deployments
  8. Specify the client ID:

    root@rok-tools:~/ops/deployments# export OIDC_CLIENT_ID=<CLIENT ID>

    Replace <CLIENT ID> with the client ID you copied from the Configuration tab.

  9. Specify the client secret:

    root@rok-tools:~/ops/deployments# export OIDC_CLIENT_SECRET=<CLIENT SECRET>

    Replace <CLIENT SECRET> with the client secret you copied from the Configuration tab.

  10. Render the AuthService credentials:

    root@rok-tools:~/ops/deployments# j2 kubeflow/manifests/common/oidc-authservice/overlays/deploy/secret_params.env.j2 \ > -o kubeflow/manifests/common/oidc-authservice/overlays/deploy/secret_params.env
  11. Set the public URL of your EKF installation:

    root@rok-tools:~/ops/deployments# export FQDN=<FQDN>

    Replace <FQDN> with your installation’s public URL. For example:

    root@rok-tools:~/ops/deployments# export FQDN=https://arrikto-cluster.apps.example.com
  12. Set the public URL of your application:

    root@rok-tools:~/ops/deployments# export OIDC_PROVIDER=<ISSUER>

    Replace <ISSUER> with the issuer URL you copied from the Configuration tab.

  13. Configure AuthService to convert user emails to usernames:

    root@rok-tools:~/ops/deployments# export USERID_TRANSFORMERS='[{"matches": "@<DOMAIN>", "replaces": "" }]'

    Replace <DOMAIN> with the domain of your organization. For example:

    root@rok-tools:~/ops/deployments# export USERID_TRANSFORMERS='[{"matches": "@example\\.com", "replaces": "" }]'

    Make sure to include \\. With this example domain, AuthService will convert user IDs like user@example.com into user.

    Note

    USERID_TRANSFORMERS accepts a JSON formatted list of UserID transformation rules with the following format:

    USERID_TRANSFORMERS=[{"matches": "regex", "replaces": "value" }]

    AuthService will transform the UserID by finding the first transformation rule that matches regex and replacing it with value.

  14. Set the default PingID settings and render the AuthService configuration:

    root@rok-tools:~/ops/deployments# export USERID_CLAIM=preferred_username root@rok-tools:~/ops/deployments# export OIDC_SCOPES=profile,email,openid root@rok-tools:~/ops/deployments# export AUTHSERVICE_URL_PREFIX=${FQDN?}/authservice/ root@rok-tools:~/ops/deployments# export TEMPLATE_PATH='' root@rok-tools:~/ops/deployments# j2 kubeflow/manifests/common/oidc-authservice/overlays/deploy/params.env.j2 \ > -o kubeflow/manifests/common/oidc-authservice/overlays/deploy/params.env
  15. Commit your changes:

    root@rok-tools:~/ops/deployments# git commit -am "Use the PingID OIDC provider for Kubeflow authentication"
  16. Apply the manifests:

    root@rok-tools:~/ops/deployments# rok-deploy --apply install/kubeflow
  17. Restart the pods manually:

    root@rok-tools:~/ops/deployments# kubectl delete pods -n istio-system -l app=authservice

Verify

  1. Ensure that the authservice StatefulSet is running. Verify that field STATUS is Running and field READY is 1/1:

    root@rok-tools:~/ops/deployments# kubectl get pods -n istio-system -l app=authservice NAME READY STATUS RESTARTS AGE authservice-0 1/1 Running 0 13s
  2. Log in with your PingID credentials at <FQDN>, where <FQDN> is the public URL of your EKF installation. For example, https://arrikto-cluster.apps.example.com.

Summary

You have successfully configured your EKF installation to allow users to login with their PingID credentials.

What’s Next

Check out the rest of the services you can integrate Arrikto EKF with.