OIDC Authenticated Group Mapping
Using Kong’s OpenID Connect plugin (OIDC), you can map identity provider (IdP)
groups to Kong roles. Adding a user to Kong in this way gives them access to
Kong based on their group in the IdP.
After starting Kong Enterprise with the desired configuration, you can
create new admins whose usernames match those in your IdP. Those
users will then be able to accept invitations to join Kong Manager and log in
with their IdP credentials.
If an admin’s group changes in the IdP, their Kong admin account’s associated
role also changes in Kong Enterprise the next time they log in through Kong
Manager. The mapping removes the task of manually managing access in Kong
Enterprise, as it makes the IdP the system of record.
Here’s how OIDC authenticaticated group mapping works:
- Create roles in Kong Enterprise using either the Kong Admin API or Kong
- Create groups and associate roles with the groups.
- Configure the OIDC plugin to connect with your IdP.
- When users log in to Kong Manager, they get permissions based on the IdP
group(s) they belong to.
Create Kong Groups and Assign Roles
Note: The following examples assume that you have RBAC enabled with
Basic Auth and are transitioning to OpenID Connect.
Notice how in the instructions above, you did not assign a role to your
admin. The role will be matched with the role assigned to them in the IdP.
Apply OIDC Auth Mapping to Kong