TeleportOIDCConnector
resources.teleport.dev / v3
apiVersion: resources.teleport.dev/v3
kind: TeleportOIDCConnector
metadata:
name: example
apiVersion
string
APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
kind
string
Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
metadata
object
spec object
OIDCConnector resource definition v3 from Teleport
acr_values
string
ACR is an Authentication Context Class Reference value. The meaning of the ACR value is context-specific and varies for identity providers.
allow_unverified_email
boolean
AllowUnverifiedEmail tells the connector to accept OIDC users with unverified emails.
claims_to_roles []object
ClaimsToRoles specifies a dynamic mapping from claims to roles.
claim
string
Claim is a claim name.
roles
[]string
Roles is a list of static teleport roles to match.
value
string
Value is a claim value to match.
client_id
string
ClientID is the id of the authentication client (Teleport Auth Service).
client_redirect_settings object
ClientRedirectSettings defines which client redirect URLs are allowed for non-browser SSO logins other than the standard localhost ones.
allowed_https_hostnames
[]string
a list of hostnames allowed for https client redirect URLs
insecure_allowed_cidr_ranges
[]string
a list of CIDRs allowed for HTTP or HTTPS client redirect URLs
client_secret
string
ClientSecret is used to authenticate the client. This field supports secret lookup. See the operator documentation for more details.
display
string
Display is the friendly name for this provider.
entra_id_groups_provider object
EntraIDGroupsProvider configures out-of-band user groups provider. It works by following through the groups claim source, which is sent for the "groups" claim when the user's group membership exceeds 200 max item limit.
disabled
boolean
Disabled specifies that the groups provider should be disabled even when Entra ID responds with a groups claim source. User may choose to disable it if they are using integrations such as SCIM or similar groups importer as connector based role mapping may be not needed in such a scenario.
graph_endpoint
string
GraphEndpoint is a Microsoft Graph API endpoint. The groups claim source endpoint provided by Entra ID points to the now-retired Azure AD Graph endpoint ("https://graph.windows.net"). To convert it to the newer Microsoft Graph API endpoint, Teleport defaults to the Microsoft Graph global service endpoint ("https://graph.microsoft.com"). Update GraphEndpoint to point to a different Microsoft Graph national cloud deployment endpoint.
group_type
string
GroupType is a user group type filter. Defaults to "security-groups". Value can be "security-groups", "directory-roles", "all-groups".
google_admin_email
string
GoogleAdminEmail is the email of a google admin to impersonate.
google_service_account
string
GoogleServiceAccount is a string containing google service account credentials.
google_service_account_uri
string
GoogleServiceAccountURI is a path to a google service account uri.
issuer_url
string
IssuerURL is the endpoint of the provider, e.g. https://accounts.google.com.
max_age
string
MaxAge is the amount of time that user logins are valid for. If a user logs in, but then does not login again within this time period, they will be forced to re-authenticate.
format:
durationmfa object
MFASettings contains settings to enable SSO MFA checks through this auth connector.
acr_values
string
AcrValues are Authentication Context Class Reference values. The meaning of the ACR value is context-specific and varies for identity providers. Some identity providers support MFA specific contexts, such Okta with its "phr" (phishing-resistant) ACR.
client_id
string
ClientID is the OIDC OAuth app client ID.
client_secret
string
ClientSecret is the OIDC OAuth app client secret.
enabled
boolean
Enabled specified whether this OIDC connector supports MFA checks. Defaults to false.
max_age
string
MaxAge is the amount of time in nanoseconds that an IdP session is valid for. Defaults to 0 to always force re-authentication for MFA checks. This should only be set to a non-zero value if the IdP is setup to perform MFA checks on top of active user sessions.
format:
duration
prompt
string
Prompt is an optional OIDC prompt. An empty string omits prompt. If not specified, it defaults to select_account for backwards compatibility.
request_object_mode
string
RequestObjectMode determines how JWT-Secured Authorization Requests will be used for authorization requests. JARs, or request objects, can provide integrity protection, source authentication, and confidentiality for authorization request parameters. If omitted, MFA flows will default to the `RequestObjectMode` behavior specified in the base OIDC connector. Set this property to 'none' to explicitly disable request objects for the MFA client.
pkce_mode
string
PKCEMode represents the configuration state for PKCE (Proof Key for Code Exchange). It can be "enabled" or "disabled"
prompt
string
Prompt is an optional OIDC prompt. An empty string omits prompt. If not specified, it defaults to select_account for backwards compatibility.
provider
string
Provider is the external identity provider.
redirect_url
[]string
RedirectURLs is a list of callback URLs which the identity provider can use to redirect the client back to the Teleport Proxy to complete authentication. This list should match the URLs on the provider's side. The URL used for a given auth request will be chosen to match the requesting Proxy's public address. If there is no match, the first url in the list will be used.
request_object_mode
string
RequestObjectMode determines how JWT-Secured Authorization Requests will be used for authorization requests. JARs, or request objects, can provide integrity protection, source authentication, and confidentiality for authorization request parameters.
scope
[]string
Scope specifies additional scopes set by provider.
user_matchers
[]string
UserMatchers is a set of glob patterns to narrow down which username(s) this auth connector should match for identifier-first login.
username_claim
string
UsernameClaim specifies the name of the claim from the OIDC connector to be used as the user's username.
status object
Status defines the observed state of the Teleport resource
conditions []object
Conditions represent the latest available observations of an object's state
lastTransitionTime
string required
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format:
date-time
message
string required
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength:
32768
observedGeneration
integer
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format:
int64minimum:
0
reason
string required
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
pattern:
^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$minLength:
1maxLength:
1024
status
string required
status of the condition, one of True, False, Unknown.
enum:
True, False, Unknown
type
string required
type of condition in CamelCase or in foo.example.com/CamelCase.
pattern:
^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$maxLength:
316
teleportResourceID
integer
format:
int64No matches. Try .spec.acr_values for an exact path