OneLogin OpenID as login management

Hello
I’ve used the " Zero to JupyterHub with Kubernetes" guide to setup JupyterHub on our k8s cluster.
For dev I’ve used the dummy auth with a generalized password.

We are using OneLogin as the authentication and portal to all our web tools (superset, prometheus UI, grafana, AWS, etc.).
I’ve tried to configure the GenericOAuthenticator to work with OneLogin using OpenID, but I get either a 500 or a 561 error, depending on configuration.

Any ideas/suggestions/guides as to how I may implement this? I want users to login to jupyterhub via onelogin.

My helm’s values configuration:

ingress:
  enabled: true
  annotations:
    kubernetes.io/ingress.class: alb
    alb.ingress.kubernetes.io/group.name: apps-group
    alb.ingress.kubernetes.io/target-type: ip
    alb.ingress.kubernetes.io/healthcheck-path: /health
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP":80}, {"HTTPS":443}]'
    alb.ingress.kubernetes.io/ssl-redirect: '443'
    alb.ingress.kubernetes.io/auth-type: oidc
    alb.ingress.kubernetes.io/auth-idp-oidc: '{"issuer":"https://<name>.onelogin.com/oidc/2","authorizationEndpoint":"https://<name>.onelogin.com/oidc/2/auth","tokenEndpoint":"https://<name>.onelogin.com/oidc/2/token","userInfoEndpoint":"https://<name>.onelogin.com/oidc/2/me","secretName":"jupyterhub-env"}'
    alb.ingress.kubernetes.io/auth-on-unauthenticated-request: authenticate
hub:
  config:
    Authenticator:
      enable_auth_state: true
    GenericOAuthenticator:
      client_id: <my-client-id>
      client_secret: <my-client-secret>
      oauth_callback_url: https://<HOST_URL>/hub/oauth_callback
      authorize_url: https://<name>.onelogin.com/oidc/2/auth
      token_url: https://<name>.onelogin.com/oidc/2/token
      userdata_url: https://<name>.onelogin.com/oidc/2/me
      scope:
        - openid
        - name
        - profile
        - email
      username_key: email
    JupyterHub:
      authenticator_class: generic-oauth

MYURL is well established and used for other OpenID apps, ll endpoints checked.

Ingress works well with the dummy authenticator, so people can only access the jupyter url from onelogin, but the dummy isn’t good for us.
Endpoints are tested

Unfortunately debugging external authentication providers can be very tricky. Have you tried turning on debug logging? That will show you all internal and external requests to onelogin, and might help you, or someone else on this forum if you share the logs, identity the problem.

Another thing you could try is to setup your own OIDC provider such as Keycloak. If that work you’ll know that any problems are specific to onelogin.

1 Like

Thanks for the reply, I will try both things and be back if I have more detils/questions.