[Question] ADFS integration with k8 RBAC

[soocode]

Hi Team,

I'm planning to deploy a cluster using aks-engine in Azure Stack Hub and using ADFS as an identity provider.
I want to use the same identity to access the aks-engine cluster by pointing the API model to ADFS and integrate it with k8 RBAC so that I don't have to separately manage another account.

My question:
It seems AAD can be integrated with AKS Engine-created cluster to use K8 RBAC.
https://github.com/Azure/aks-engine/blob/master/docs/topics/aad.md
Can the accounts defined in ADFS be used to associate with K8 RBAC?

I would appreciate if you could share any relevant documentation.

[welcome]

👋 Thanks for opening your first issue here! If you're reporting a 🐞 bug, please make sure you include steps to reproduce it.

[soocode]

Tagging @jackfrancis for awareness. It would be greatly appreciate if we can have answers.

[bridgetkromhout]

Hi, @soocode - Jack is away for a bit. Perhaps @jadarsie can answer; this repo is also not a good source of Azure Stack Hub support and will be archived later this year (see https://learn.microsoft.com/en-us/azure-stack/user/azure-stack-kubernetes-aks-engine-overview?view=azs-2206 instead). Thanks.

[soocode]

Hi, @bridgetkromhout thank you for letting me know. It seems the documentation has no answers for my question. I'll wait for @jadarsie's feedback.

[jadarsie]

@soocode, the doc page says ADFS is not supported (https://github.com/Azure/aks-engine/blob/master/docs/topics/aad.md#prerequisites)

Please log an issue here (https://github.com/Azure/aks-engine-azurestack/issues/new), I will try to understand what was the limitation on ADFS and based on that maybe find a solution.

[cacarroll]

@jadarsie The scenario is an air gapped Azure Stack Hub with ADFS/DC integration for identity. Can we set up AKS Engine to use the ADFS/DC to provide RBAC? I understand the document above references a scenario for AAD but is there a solution for those who are offline and need to use a local identity source?