.well-know/openid-configuration
, to provide this information.
The token of the identity provider has to contain claims with either an API key or an email. These claims allow Console to map the token to a user or an API key and apply its permissions.
https://example.org/keycloak/realms/conduktor
. If a valid API key is defined in the apikey
claim, it will be used. Otherwise, the email contained in the email
claim will be mapped to a Console user. If the user doesn’t exist, it will be created. The groups
claim is optional and used for external group mapping.
CDK_AUTH_MODE
environment variable to external
.
If you already have a token from your identity provider, you can configure the CLI like this:
Property | Description | Environment variable | Mandatory | Type | Default |
---|---|---|---|---|---|
sso.jwt-auth.issuer | Issuer of your identity provider | CDK_SSO_JWTAUTH_ISSUER | true | string | ∅ |
sso.jwt-auth.username-claim | Email attribute from your identity provider | CDK_SSO_JWTAUTH_USERNAMECLAIM | false | string | email |
sso.jwt-auth.groups-claim | Group attribute from your identity provider | CDK_SSO_JWTAUTH_GROUPSCLAIM | false | string | groups |
sso.jwt-auth.api-key-claim | API key attribute from your identity provider | CDK_SSO_JWTAUTH_APIKEYCLAIM | false | string | apikey |