@MinIO Great! Here, you have explained the login in minIO console through Keycloak. What if I have a service/system which generates the token through Keycloak confidential client and then use the token to access the minIO bucket based on policy. How can we do that? thanks in advance!!
Thank you for this awesome showcase. While I was successful in setting up a Minio / Keycloak Integration, I'm unable to setup the "Backchannel Logout" so that when a session is closed in Keycloak, it should log you out from Minio. Is it possible ?
I believe what you're looking for is the Keycloak admin URL setting: min.io/docs/minio/linux/reference/minio-mc-admin/mc-admin-config.html#mc-conf.identity_openid.keycloak_admin_url
Hi! Please tell me, is it possible to connect minIO to ADFS? I can't find the instructions on google. I watched your videos on setting up with Keycloak. Tell me, is there any way to connect to ADFS at all, or does it make no sense for me to try to do something in this direction?
Many of these settings can also be done via environment variables, if that helps your orchestration efforts. min.io/docs/minio/linux/operations/external-iam/configure-openid-external-identity-management.html
So, you can set the policy attribute to whatever name your OpenID is using. MinIO just defaults to looking in the JWT for an attribute named "policy" that has a list of policy names that match policies in MinIO.
But we don't Talk ablut Claims? iam a bit confused with Claims and policys in this context. I have a group Claim and in my Policy i have a conditional which Checks the jwt:groups variable
That's not how MinIO expects to assign policies. MinIO is looking for an attribute in the JWT that explicitly names a policy that MinIO manages. You *could* change the attribute name that MinIO looks for, such as telling it to look for "group", but the value of the group variable should still be a named policy in MinIO.
With a detached MinIO Console, you're running a specific user, console, to attach to your cluster. Are you looking to serve the console user credentials from OpenID? Or just auth other users? All the user management is still done via the MinIO server, not Console.
@MinIO Great! Here, you have explained the login in minIO console through Keycloak. What if I have a service/system which generates the token through Keycloak confidential client and then use the token to access the minIO bucket based on policy. How can we do that? thanks in advance!!
I believe this documentation can help: min.io/docs/minio/linux/developers/security-token-service.html
Thank you for this awesome showcase. While I was successful in setting up a Minio / Keycloak Integration, I'm unable to setup the "Backchannel Logout" so that when a session is closed in Keycloak, it should log you out from Minio. Is it possible ?
I believe what you're looking for is the Keycloak admin URL setting: min.io/docs/minio/linux/reference/minio-mc-admin/mc-admin-config.html#mc-conf.identity_openid.keycloak_admin_url
Hi! Please tell me, is it possible to connect minIO to ADFS? I can't find the instructions on google. I watched your videos on setting up with Keycloak. Tell me, is there any way to connect to ADFS at all, or does it make no sense for me to try to do something in this direction?
ADFS does have OpenID features, you need to make sure you're sending back a properly formed JWT that includes a policy claim.
Great 🎉 What about Nomad Orchestrator?
Many of these settings can also be done via environment variables, if that helps your orchestration efforts. min.io/docs/minio/linux/operations/external-iam/configure-openid-external-identity-management.html
Does IT Work with entra i don't find the entry for Policy attributr
So, you can set the policy attribute to whatever name your OpenID is using. MinIO just defaults to looking in the JWT for an attribute named "policy" that has a list of policy names that match policies in MinIO.
But we don't Talk ablut Claims? iam a bit confused with Claims and policys in this context. I have a group Claim and in my Policy i have a conditional which Checks the jwt:groups variable
That's not how MinIO expects to assign policies. MinIO is looking for an attribute in the JWT that explicitly names a policy that MinIO manages. You *could* change the attribute name that MinIO looks for, such as telling it to look for "group", but the value of the group variable should still be a named policy in MinIO.
Ah i understand so the value from the group Claim in the jwt have to be the Same as the Policy Name in minio.
Correct. Just be sure to tell MinIO to look for "group" rather than the default "policy" in the JWT.
Greate ... but how it work with detach minio console ( ui ).... connected to minio cluster
With a detached MinIO Console, you're running a specific user, console, to attach to your cluster. Are you looking to serve the console user credentials from OpenID? Or just auth other users? All the user management is still done via the MinIO server, not Console.
@@MINIO i known this all... :) But it' s has sone problem with API admin config....
Unfortunately, I can't really diagnose this without knowing more details about your setup. Have you considered reaching out to our support on Subnet?
@@MINIO i will try