Test Verification Report: CNTRLPLANE-3462

Validate External OIDC on Self-Managed Azure HCP

JIRA	CNTRLPLANE-3462
Type	Manual Validation (no code changes)
Cluster	`brcox-sm-dev-hc` (self-managed Azure HCP)
Date	2026-06-03
Tester	Bryan Cox

10/10

Scenarios Verified

7/7

Azure AD Checks

3/3

Keycloak Checks

Summary

Category	Status
Part A: Azure AD (Entra ID)
Scenario 1: Azure AD app registration	PASS (5/5 checks)
Scenario 2: Cluster OIDC configuration (Azure AD)	PASS (4/4 checks)
Scenario 3: OAuth server not deployed	PASS (3/3 checks)
Scenario 4: KAS authentication configuration	PASS (4/4 checks)
Scenario 5: Azure AD CLI authentication	PASS (4/4 checks)
Scenario 6: SelfSubjectReview claim mappings (Azure AD)	PASS (3/3 checks)
Scenario 7: Console login via Azure AD	PASS (4/4 checks)
Part B: Keycloak
Scenario 8: Keycloak setup & cluster reconfiguration	PASS (8/8 checks)
Scenario 9: Keycloak authentication & SelfSubjectReview	PASS (5/5 checks)
Scenario 10: Console login via Keycloak	PASS (3/3 checks)

Acceptance Criteria

Criterion	Result	Scenario
Create self-managed Azure HCP with `authentication.type: OIDC`	PASS	2
Hosted cluster reaches Available state	PASS	2
OAuth server is NOT deployed	PASS	3
Authenticate a user via OIDC flow	PASS	5
SelfSubjectReview returns correct username, groups, UID	PASS	6
Console login works via OIDC	PASS	7
Validate with Azure AD (Entra ID)	PASS	1–7
Validate with Keycloak	PASS	8–10
Document any blockers or gaps	PASS	All

Blockers & Gaps Found

No blockers or gaps found. External OIDC on self-managed Azure HCP works correctly with both SaaS (Azure AD / Entra ID) and self-hosted (Keycloak) identity providers. All claim mappings (username, groups, UID) are correctly propagated through the KAS JWT authenticator. Console login works via the OIDC authorization code flow with both providers. The cluster can be reconfigured in-place to swap OIDC providers without downtime.