Authentication

Glasswall Halo can be configured to enable Single Sign-On (SSO) with OpenID Connect (OIDC).

SSO is an authentication method that allows users to sign in using one set of credentials to multiple independent software systems. Using SSO means a user doesn't have to sign in to every application they use.

Below is the information on how to configure SSO within your Glasswall Halo solution using Microsoft Entra ID as the identity and access management (IAM) provider or identity provider (IdP).

In principle, any IAM/IdP that offers OIDC may be configured to support SSO for Glasswall Halo.

Prerequisites for Microsoft Entra ID integration

• A Microsoft Enterprise Agreement for a Microsoft Entra ID account is required to enable this SSO option.

• A domain name must be configured for the Halo portal (Portal Service) to use SSO authentication.

• Azure App registrations are required whenever SSO authentication using Microsoft Entra ID needs to be enabled.

• Ensure Azure CLI is installed in a machine and login using az login.

• There are three App registrations that need to be created:

  • cdrplatform-api-access
  • cdrplatform-portal-access
  • cdrplatform-portal-client

Installation

1. Run the attached shell script to create 3 App registrations and Enterprise applications. Note the outputs from the script which will be used in the next steps.

   • cdrplatform-api-access
   • cdrplatform-portal-access
   • cdrplatform-portal-client

bash create-azure-app-registrations.sh cleanroom.glasswall.com

• The enterprise application ar-halo-portal-client needs to be granted Admin consent.

2. SSH to the VM to run the commands below.

3. The cdrplatform-portal and cdrplatform-portal-access Helm charts are present in the /home/glasswall directory.

4. Get the image tag of portal running in the cluster. The output value of the command should be set to image_tag variable:

k get deploy portal  -o json | jq -r '.spec.template.spec.containers[0].image' | cut -d":" -f2

• Deploy Portal with Azure AD configuration

tenant_id=""
portal_domain=""
portal_client_id=""
portal_access_uri=""
image_tag=""
helm upgrade --install cdrplatform-portal cdrplatform-portal \
  --set image.repository=glasswallacr.azurecr.io/cdrplatform-portal \
  --set image.tag="${image_tag:?}" \
  --set image.pullPolicy=IfNotPresent \
  --set ingress.tls.enabled=true \
  --set ingress.tls.domain=${portal_domain:?} \
  --set ingress.tls.secretName=tls-secret \
  --set cloud_provider=local \
  --set resources.requests.cpu=500m \
  --set resources.requests.memory=500Mi \
  --set resources.limits.cpu=500m \
  --set resources.limits.memory=500Mi \
  --set securityContext.seccompProfile.type=RuntimeDefault \
  --set configuration.BackendScope="${portal_access_uri}/PortalUserScope" \
  --set configuration.BackendUrl="https://${portal_domain}" \
  --set configuration.EnabledPages="SystemSettings\,PolicySettings" \
  --set configuration.OIDC.ProviderOptions.Authority="https://login.microsoftonline.com/${tenant_id:?}/v2.0" \
  --set configuration.OIDC.ProviderOptions.RedirectUri="https://${portal_domain}/authentication/login-callback" \
  --set configuration.OIDC.ProviderOptions.ClientId="${portal_client_id}" \
  --set configuration.OIDC.ProviderOptions.PostLogoutRedirectUri="https://${portal_domain}/authentication/logout-callback" \
  --atomic

5. Get the image tag of portal-access running in the cluster. The output value of the command should be set to image_tag variable:

k get deploy portal-access  -o json | jq -r '.spec.template.spec.containers[0].image' | cut -d":" -f2

6. Deploy portal access with Entra ID configuration:

• Set tenant_id , portal_domain and portal_access_uri variables in the commands below and run them.
• tenant_id is of the tenant where App registrations are created.
• The portal_domain is the domain name used to setup TLS for the portal service as well as the same domain used in the cdrplatform-portal-client app registration.
• portal_access_uri is the uri used to denote the location of the portal.

tenant_id=""
portal_domain=""
portal_access_uri=""
image_tag=""
helm upgrade --install cdrplatform-portal-access cdrplatform-portal-access \
  --set image.repository=glasswallacr.azurecr.io/cdrplatform-portal-access \
  --set image.tag="${image_tag:?}" \
  --set image.pullPolicy=IfNotPresent \
  --set ingress.tls.enabled=true \
  --set ingress.tls.domain=${portal_domain:?} \
  --set ingress.tls.secretName=tls-secret \
  --set cloud_provider=local \
  --set resources.requests.cpu=1 \
  --set resources.requests.memory=2Gi \
  --set resources.limits.cpu=1 \
  --set resources.limits.memory=2Gi \
  --set securityContext.seccompProfile.type=RuntimeDefault \
  --set configuration.AuthenticationScheme=Bearer \
  --set configuration.Authentication__Schemes__Bearer__ValidAudiences__0="${portal_access_uri}" \
  --set configuration.Authentication__Schemes__Bearer__ValidIssuer=https://sts.windows.net/${tenant_id:?}/ \
  --set configuration.Authentication__Schemes__Bearer__Authority=https://login.microsoftonline.com/${tenant_id}/v2.0/ \
  --atomic

7. Now open the portal domain in a browser and click Login with SSO on the bottom left of the screen.
8. Follow the login process via Entra ID and grant the App required permissions on behalf of the organisation for the first time.

Learn more via Microsoft Application Management Documentation

API Authentication

API authentication can be configured in 2 ways:

• Basic authentication
• Bearer authentication

Basic Authentication Installation

1. SSH to the VM to run the below commands.

2. The cdrplatform-api-access Helm chart is present in the /home/glasswall directory.

3. Set credentials in the cluster by setting a username and password in the command below. Multiple passwords can be configured by separating them by a comma.

secret_exists=$(kubectl get secret cdrplatform-secrets --ignore-not-found)
if [[ -z "$secret_exists" ]]; then
  kubectl create secret generic cdrplatform-secrets \
  --from-literal=organisation0-id=<username> \
  --from-literal=organisation0-tokens=<password>
else
  kubectl patch secret cdrplatform-secrets -p="{\"stringData\":{\"organisation0-id\": \"<username>\",\"organisation0-tokens\": \"<password>\"}}"
fi

4. To set an API key for Menlo API create or update the cdrplatform-secrets with menlo-api-key.
   1. Make sure to set menlo_api_authentication value to ApiKey in the next step.
   2. Then the Base64 encoded value of ApiKey can be used as Bearer token in the Authorization header while making the requests to Menlo API.

secret_exists=$(kubectl get secret cdrplatform-secrets --ignore-not-found)
if [[ -z "$secret_exists" ]]; then
  kubectl create secret generic cdrplatform-secrets \
  --from-literal=menlo-api-key=<menlo-api-key>
else
  kubectl patch secret cdrplatform-secrets -p="{\"stringData\":{\"menlo-api-key\": \"<menlo-api-key>\"}}"
fi

5. Get the image tag of api-access running in the cluster. The output value of the command should be set to image_tag variable:

k get deploy api-access  -o json | jq -r '.spec.template.spec.containers[0].image' | cut -d":" -f2

6. Deploy api-access with Basic authentication:

image_tag=""
menlo_api_authentication="None|ApiKey"
enable_tls="true|false"
api_domain="" # ignore if enable_tls is false
helm upgrade --install cdrplatform-api-access cdrplatform-api-access \
  --set image.tag="${image_tag:?}" \
  --set image.pullPolicy=IfNotPresent \
  --set image.repository="glasswallacr.azurecr.io/cdrplatform-api-access" \
  --set ingress.tls.enabled="${enable_tls:?}" \
  --set ingress.tls.domain="${api_domain}" \
  --set configuration.CLIENTS__Policy__BaseAddress="http://policy-api:8080" \
  --set configuration.CLIENTS__License__BaseAddress="http://license-management.license-management.svc.cluster.local:8080" \
  --set configuration.CLIENTS__AsyncApi__BaseAddress="http://async-api:8080" \
  --set configuration.AuthenticationScheme="Basic" \
  --set configuration.MenloAuthenticationScheme="${menlo_api_authentication}" \
  --set cloud_provider=local \
  --set resources.requests.cpu=1 \
  --set resources.requests.memory=3Gi \
  --set resources.limits.cpu=1 \
  --set resources.limits.memory=3Gi \
  --set securityContext.seccompProfile.type=RuntimeDefault \
  --atomic

Bearer Authentication installation

1. Identify the tenant_id for the Azure tenant to be used.

2. SSH to the VM to run the below commands.

3. The cdrplatform-api-access Helm chart should be present in the /home/glasswall directory.

4. Get the image tag of api-access running in the cluster. The output value of the command should be set to image_tag variable:

k get deploy api-access  -o json | jq -r '.spec.template.spec.containers[0].image' | cut -d":" -f2

5. Deploy api-access with Azure AD configuration:

tenant_id=""
api_valid_audience="api://cdrplatform-api-access"
image_tag=""
menlo_api_authentication="None|ApiKey"
enable_tls="true|false"
api_domain="" # ignore if enable_tls is false
helm upgrade --install cdrplatform-api-access cdrplatform-api-access \
  --set image.tag="${image_tag}" \
  --set image.pullPolicy=IfNotPresent \
  --set image.repository="glasswallacr.azurecr.io/cdrplatform-api-access" \
  --set ingress.tls.enabled="${enable_tls}" \
  --set ingress.tls.domain="${api_domain}" \
  --set configuration.CLIENTS__Policy__BaseAddress="http://policy-api:8080" \
  --set configuration.CLIENTS__License__BaseAddress="http://license-management.license-management.svc.cluster.local:8080" \
  --set configuration.CLIENTS__AsyncApi__BaseAddress="http://async-api:8080" \
  --set configuration.AuthenticationScheme="Bearer" \
  --set configuration.MenloAuthenticationScheme="${menlo_api_authentication}" \
  --set configuration.Authentication__Schemes__Bearer__ValidAudiences__0="${api_valid_audience}" \
  --set configuration.Authentication__Schemes__Bearer__ValidIssuer=https://sts.windows.net/${tenant_id}/ \
  --set configuration.Authentication__Schemes__Bearer__Authority=https://login.microsoftonline.com/${tenant_id}/v2.0/ \
  --set cloud_provider=local \
  --set resources.requests.cpu=1 \
  --set resources.requests.memory=3Gi \
  --set resources.limits.cpu=1 \
  --set resources.limits.memory=3Gi \
  --set securityContext.seccompProfile.type=RuntimeDefault \
  --atomic