How to set up Open Data Hub 3.x External Identity Provider and Gateway on ROSA

Tackling user management at the enterprise level can be difficult, even more so when separate teams are using different identity managers. This learning path covers Open Data Hub (ODH) 3.x with an external OpenID Connect (OIDC) identity provider (using Keycloak as the reference) and the data science gateway. This will enable your enterprise user and group management to stay centralized, where your data science teams authenticate through the same identity provider your organization already uses, so you do not need to manage separate credentials for the AI/ML platform.

It will also ensure that access to ODH components is protected at the gateway level, which means only authenticated users from approved groups (e.g., odh-admin) can reach the ODH dashboard and its services, reducing the risk of unauthorized access. Onboarding new data scientists will be simpler, as adding a user to the correct Keycloak group automatically grants them the right level of access to both the Red Hat® OpenShift® cluster and ODH, with no extra cluster-side configuration needed.

Any cluster: The procedures apply to any OpenShift 4.19+ environment supporting ODH gateway OIDC. OpenShift 4.19 is the minimum version required for ODH 3.x and its data science gateway. While Red Hat OpenShift Service on AWS with hosted control planes command-line interface (CLI) commands are included as examples, equivalent configurations—such as issuer URLs, client IDs, redirect URIs, secrets, and TLS—should be applied using the platform’s OAuth or cluster authentication mechanisms.

Prerequisites:

An AWS account and subscription.
A Red Hat account.
Red Hat OpenShift on AWS.
Administrative permissions for all accounts.

In this learning path, you will:

Set up ROSA.
Create Keycloak.
Configure Keycloak.
Set up a ROSA cluster.
Configure Open Data Hub.
Test and validate the instance.
Learn how to troubleshoot common errors.