Authentication

Prev Next

Prerequisites

  • A domain name must be configured for the Portal service to use the SSO authentication. Identify the domain to be used for the Portal.
  • Identify the tenant_id for the Azure tenant to be used.
  • Make sure azure az cli is installed in a machine and login using az login.
  • Run the attached shell script to create 3 App registrations and Enterprise applications. Make a note of the outputs from the script which will be used in the next steps
    • cdrplatform-api-access
    • cdrplatform-portal-access
    • cdrplatform-portal-client
bash create-azure-app-registrations.sh cleanroom.glasswall.com
  • The enterprise application ar-halo-portal-client needs to be granted Admin consent.

Portal Authentication Installation

Glasswall CDR Platform's Portal supports SSO authentication using Azure AD. Follow below steps to setup integration with Azure AD

  • SSH to the VM to run the below commands.
  • The cdrplatform-portal and cdrplatform-portal-access helm charts are present in the /home/glasswall directory.
  • Get the image tag of portal running in the cluster. The output value of the command should be set to image_tag variable
k get deploy portal  -o json | jq -r '.spec.template.spec.containers[0].image' | cut -d":" -f2
  • Deploy Portal with Azure AD configuration
tenant_id=""
portal_domain=""
portal_client_id=""
portal_access_uri=""
image_tag=""
enabled_pages="SystemSettings\,PolicySettings"
# if XML validation entitlement is enabled
enabled_pages="SystemSettings\,PolicySettings\,ValidationSettings"
# if ICAP server is enabled
enabled_pages="SystemSettings\,PolicySettings\,IcapSettings\,IcapRequests\,IcapReporting"
helm upgrade --install cdrplatform-portal cdrplatform-portal \
  --set image.repository=glasswallacr.azurecr.io/cdrplatform-portal \
  --set image.tag="${image_tag:?}" \
  --set image.pullPolicy=IfNotPresent \
  --set ingress.tls.enabled=true \
  --set ingress.tls.domain=${portal_domain:?} \
  --set ingress.tls.secretName=tls-secret \
  --set cloud_provider=local \
  --set resources.requests.cpu=500m \
  --set resources.requests.memory=500Mi \
  --set resources.limits.cpu=500m \
  --set resources.limits.memory=500Mi \
  --set securityContext.seccompProfile.type=RuntimeDefault \
  --set configuration.BackendScope="${portal_access_uri}/PortalUserScope" \
  --set configuration.BackendUrl="https://${portal_domain}" \
  --set configuration.EnabledPages="${enabled_pages}" \
  --set configuration.OIDC.ProviderOptions.Authority="https://login.microsoftonline.com/${tenant_id:?}/v2.0" \
  --set configuration.OIDC.ProviderOptions.RedirectUri="https://${portal_domain}/authentication/login-callback" \
  --set configuration.OIDC.ProviderOptions.ClientId="${portal_client_id}" \
  --set configuration.OIDC.ProviderOptions.PostLogoutRedirectUri="https://${portal_domain}/authentication/logout-callback" \
  --atomic
  • Get the image tag of portal-access running in the cluster. The output value of the command should be set to image_tag variable
k get deploy portal-access  -o json | jq -r '.spec.template.spec.containers[0].image' | cut -d":" -f2
  • Deploy portal access with Azure AD configuration
tenant_id=""
portal_domain=""
portal_access_uri=""
image_tag=""
helm upgrade --install cdrplatform-portal-access cdrplatform-portal-access \
  --set image.repository=glasswallacr.azurecr.io/cdrplatform-portal-access \
  --set image.tag="${image_tag:?}" \
  --set image.pullPolicy=IfNotPresent \
  --set ingress.tls.enabled=true \
  --set ingress.tls.domain=${portal_domain:?} \
  --set ingress.tls.secretName=tls-secret \
  --set cloud_provider=local \
  --set resources.requests.cpu=1 \
  --set resources.requests.memory=2Gi \
  --set resources.limits.cpu=1 \
  --set resources.limits.memory=2Gi \
  --set securityContext.seccompProfile.type=RuntimeDefault \
  --set configuration.AuthenticationScheme=Bearer \
  --set configuration.Authentication__Schemes__Bearer__ValidAudiences__0="${portal_access_uri}" \
  --set configuration.Authentication__Schemes__Bearer__ValidIssuer=https://sts.windows.net/${tenant_id:?}/ \
  --set configuration.Authentication__Schemes__Bearer__Authority=https://login.microsoftonline.com/${tenant_id}/v2.0/ \
  --atomic
  • Now open the portal domain in a browser and click on "Login with SSO" button on the left bottom.
  • Follow the login process via Azure AD and grant the App required permissions on behalf of the Organisation for the first time.

API Authentication

API authentication can be configured in 2 ways -

  • Basic authentication
  • Bearer authentication

Basic Authentication installation

  • SSH to the VM to run the below commands.
  • The cdrplatform-api-access helm chart is present in the /home/glasswall directory.
  • Set credentials in the cluster by setting a username and password in the below command. Multiple passwords can be configured by separating them by comma.
secret_exists=$(kubectl get secret cdrplatform-secrets --ignore-not-found)
if [[ -z "$secret_exists" ]]; then
  kubectl create secret generic cdrplatform-secrets \
  --from-literal=organisation0-id=<username> \
  --from-literal=organisation0-tokens=<password>
else
  kubectl patch secret cdrplatform-secrets -p="{\"stringData\":{\"organisation0-id\": \"<username>\",\"organisation0-tokens\": \"<password>\"}}"
fi
  • Get the image tag of api-access running in the cluster. The output value of the command should be set to image_tag variable
k get deploy api-access  -o json | jq -r '.spec.template.spec.containers[0].image' | cut -d":" -f2
  • Deploy api-access with Basic authentication
image_tag=""
enable_tls="true|false"
api_domain="" # ignore if enable_tls is false
helm upgrade --install cdrplatform-api-access cdrplatform-api-access \
  --set image.tag="${image_tag:?}" \
  --set image.pullPolicy=IfNotPresent \
  --set image.repository="glasswallacr.azurecr.io/cdrplatform-api-access" \
  --set ingress.tls.enabled="${enable_tls:?}" \
  --set ingress.tls.domain="${api_domain}" \
  --set configuration.CLIENTS__Policy__BaseAddress="http://policy-api:8080" \
  --set configuration.CLIENTS__License__BaseAddress="http://license-management.license-management.svc.cluster.local:8080" \
  --set configuration.CLIENTS__AsyncApi__BaseAddress="http://async-api:8080" \
  --set configuration.AuthenticationScheme="Basic" \
  --set cloud_provider=local \
  --set resources.requests.cpu=1 \
  --set resources.requests.memory=3Gi \
  --set resources.limits.cpu=1 \
  --set resources.limits.memory=3Gi \
  --set securityContext.seccompProfile.type=RuntimeDefault \
  --atomic

### Bearer Authentication installation

  • Identify the tenant_id for the Azure tenant to be used.
  • SSH to the VM to run the below commands.
  • The cdrplatform-api-access helm chart should be present in the /home/glasswall directory.
  • Get the image tag of api-access running in the cluster. The output value of the command should be set to image_tag variable
k get deploy api-access  -o json | jq -r '.spec.template.spec.containers[0].image' | cut -d":" -f2
  • Deploy api-access with Azure AD configuration
tenant_id=""
api_valid_audience="api://cdrplatform-api-access"
image_tag=""
enable_tls="true|false"
api_domain="" # ignore if enable_tls is false
helm upgrade --install cdrplatform-api-access cdrplatform-api-access \
  --set image.tag="${image_tag}" \
  --set image.pullPolicy=IfNotPresent \
  --set image.repository="glasswallacr.azurecr.io/cdrplatform-api-access" \
  --set ingress.tls.enabled="${enable_tls}" \
  --set ingress.tls.domain="${api_domain}" \
  --set configuration.CLIENTS__Policy__BaseAddress="http://policy-api:8080" \
  --set configuration.CLIENTS__License__BaseAddress="http://license-management.license-management.svc.cluster.local:8080" \
  --set configuration.CLIENTS__AsyncApi__BaseAddress="http://async-api:8080" \
  --set configuration.AuthenticationScheme="Bearer" \
  --set configuration.Authentication__Schemes__Bearer__ValidAudiences__0="${api_valid_audience}" \
  --set configuration.Authentication__Schemes__Bearer__ValidIssuer=https://sts.windows.net/${tenant_id}/ \
  --set configuration.Authentication__Schemes__Bearer__Authority=https://login.microsoftonline.com/${tenant_id}/v2.0/ \
  --set cloud_provider=local \
  --set resources.requests.cpu=1 \
  --set resources.requests.memory=3Gi \
  --set resources.limits.cpu=1 \
  --set resources.limits.memory=3Gi \
  --set securityContext.seccompProfile.type=RuntimeDefault \
  --atomic