Configure OIDC

Palette displays the Virtual Machine dashboard based on the OpenID Connect (OIDC) Identity Provider (IdP) option selected in the Kubernetes layer of the infrastructure profile.

Prerequisites

• A configured infrastructure cluster profile. For more information, review Create a Cluster Profile.

• A configured VMO add-on cluster profile. Refer to Create the VMO Profile for guidance.

Enable OIDC

1. Log in to Palette.

2. From the left Main Menu, click Profiles.

3. Select your infrastructure cluster profile. Palette displays the profile details and its profile stack.

4. Select the Kubernetes layer in the profile stack, and choose an OIDC Identity Provider option. Refer to Configure OIDC Identify Provider to learn more about OIDC options.

   • Selecting None or Palette will display the Virtual Machine dashboard in a tab.

     warning

     We do not recommend choosing None in a production environment, as it may disable authentication for add-ons that rely on OIDC.

   • Selecting Inherit from Tenant or Custom will display a link to the dashboard on the cluster overview page.

5. If you selected Custom as the OIDC IdP, follow the steps in Configure Custom OIDC to set up the OIDC IdP for your cluster.

6. Once you have made the necessary changes, click Confirm Updates and Save Changes to conclude the update.

7. Deploy a cluster using the updated infrastructure profile. Refer to the Deploy a Cluster tutorial for instructions on how to deploy a cluster.

8. Once the cluster is listed as Healthy, attach the VMO add-on profile to your cluster. Refer to the Attach an Add-on Profile guide for instructions.

The following steps apply exclusively to clusters configured with Custom third-party OIDC IdPs.

9. After the VMO profile deployment is completed, right-click the Connect button next to Virtual Machine Dashboard and copy the link. Save this link for later use.

10. Next, log in to the IdP console that is associated with the OIDC configuration used in your cluster.

11. Locate the OIDC application that was used in step five and enable the Refresh Token setting. For example, if you are using Okta as the IdP, refer to the Refresh access tokens and rotate refresh tokens guide for further instructions.

12. Update the Sign-in redirect URIs field in your IdP. Add the VMO link copied in step nine, appending /auth/callback to its end. For example, if the link is https://spectrocloud.com/v1/tenantApps/123456789101112131415162NWY2OGQ=, update it to https://spectrocloud.com/v1/tenantApps/123456789101112131415162NWY2OGQ=/auth/callback. This is the URI to which the IdP will redirect users after successful authentication.

Validate

1. Log in to Palette.

2. From the left Main Menu, click Clusters and select your cluster.

3. Based on your OIDC IdP settings, the Virtual Machines tab may display on the Cluster Overview page. Alternatively, the Connect button may display next to Virtual Machines Dashboard.

4. If you used a Custom OIDC IdP, click the Connect button next to Virtual Machines Dashboard to verify that the dashboard loads properly after authentication.