Simplifying Zero Trust Security for AWS with Teleport
Jan 23
Virtual
Register Now
Teleport logoTry For Free
Fork me on GitHub

Teleport

TeleportOIDCConnector

This guide is a comprehensive reference to the fields in the TeleportOIDCConnector resource, which you can apply after installing the Teleport Kubernetes operator.

resources.teleport.dev/v3

apiVersion: resources.teleport.dev/v3

FieldTypeDescription
apiVersionstringAPIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
kindstringKind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
metadataobject
specobjectOIDCConnector resource definition v3 from Teleport

spec

FieldTypeDescription
acr_valuesstringACR is an Authentication Context Class Reference value. The meaning of the ACR value is context-specific and varies for identity providers.
allow_unverified_emailbooleanAllowUnverifiedEmail tells the connector to accept OIDC users with unverified emails.
claims_to_roles[]objectClaimsToRoles specifies a dynamic mapping from claims to roles.
client_idstringClientID is the id of the authentication client (Teleport Auth Service).
client_redirect_settingsobjectClientRedirectSettings defines which client redirect URLs are allowed for non-browser SSO logins other than the standard localhost ones.
client_secretstringClientSecret is used to authenticate the client. This field supports secret lookup. See the operator documentation for more details.
displaystringDisplay is the friendly name for this provider.
google_admin_emailstringGoogleAdminEmail is the email of a google admin to impersonate.
google_service_accountstringGoogleServiceAccount is a string containing google service account credentials.
google_service_account_uristringGoogleServiceAccountURI is a path to a google service account uri.
issuer_urlstringIssuerURL is the endpoint of the provider, e.g. https://accounts.google.com.
max_agestringMaxAge is the amount of time that user logins are valid for. If a user logs in, but then does not login again within this time period, they will be forced to re-authenticate.
promptstringPrompt is an optional OIDC prompt. An empty string omits prompt. If not specified, it defaults to select_account for backwards compatibility.
providerstringProvider is the external identity provider.
redirect_url[]stringRedirectURLs is a list of callback URLs which the identity provider can use to redirect the client back to the Teleport Proxy to complete authentication. This list should match the URLs on the provider's side. The URL used for a given auth request will be chosen to match the requesting Proxy's public address. If there is no match, the first url in the list will be used.
scope[]stringScope specifies additional scopes set by provider.
username_claimstringUsernameClaim specifies the name of the claim from the OIDC connector to be used as the user's username.

spec.claims_to_roles items

FieldTypeDescription
claimstringClaim is a claim name.
roles[]stringRoles is a list of static teleport roles to match.
valuestringValue is a claim value to match.

spec.client_redirect_settings

FieldTypeDescription
allowed_https_hostnames[]stringa list of hostnames allowed for https client redirect URLs
insecure_allowed_cidr_ranges[]stringa list of CIDRs allowed for HTTP or HTTPS client redirect URLs