What is the expected sequence of events and behaviour regards OIDC configured for a Tanzu Foundation and Hub
Article ID: 430497
Updated On:
Products
VMware Tanzu Platform - Hub
Issue/Introduction
If OIDC is configured as an external Identity Provider for Tanzu Hub and Foundation, it will not automatically synchronise users.
Example
Consider we have two groups (dev and uat) and a user in each group. User synchronisation is enabled in Platform Services.
When we log into Hub with the tanzu_platform_admin account to perform the bindings, neither group nor users are found in the identity field.
If we log into Hub with our uat user from our uat group (and similarly for the dev user in the dev group), it is only then that we can create the role binding for them with the tanzu_platform_admin account.
Cause
Resolution
This is considered expected behaviour.
During the synchronisation of users from Platform Services to Hub, only the role assignments for users from CF are synchronised, excluding the synchronisation of the User and Groups objects themselves.
During the synchronisation of users from Platform Services to Hub, only the role assignments for users from CF are synchronised, excluding the synchronisation of the User and Groups objects themselves.
In Hub, we provide an auto-complete drop-down that shows the list of users and groups that are created in Hub's UAA. The users in UAA get created only after the user logs-in to the UAA. Because of this, we do not see the users in the drop-down in the UI before they've logged in Hub at-least once. However, the UI still allows the role binding to be created with the email id of the user even though the user has not logged in. In this case, the drop-down says couldn't find the user, but admin can still specify the email id in the text box and create the role binding. When the user with matching email id logs in to Hub, the user assumes the role binding created with email id.
Once the user logs-in to Hub, the User and Groups objects for the user gets created in Hub's UAA. From this point onwards, the drop-down should show the user and group when searched.
Feedback
Yes
No
Powered by
