Contents x
Authentication
    • PDF
    Contents

    Authentication

      • PDF
      Article summary

      Glasswall Halo's Portal supports SSO authentication using Azure AD. Follow below steps to setup integration with Azure AD

      Azure AD Authentication

      Prerequisites

      • Identify the domain name which needs to be configured for the Portal service to use the SSO authentication.
      • Identify the tenant_id for the Azure tenant to be used.
      • Ensure Azure CLI is installed in a machine and login using az login.

      Installation

      1. Run the attached shell script to create 3 App registrations and Enterprise applications. Note the outputs from the script which will be used in the next steps.

        • cdrplatform-api-access
        • cdrplatform-portal-access
        • cdrplatform-portal-client
      bash create-azure-app-registrations.sh cleanroom.glasswall.com

      1. SSH to the VM to run the commands below.

      2. The cdrplatform-portal and cdrplatform-portal-access Helm charts are present in the /home/glasswall directory.

      3. Get the image tag of portal-access running in the cluster. The output value of the command should be set to image_tag variable:

      k get deploy portal-access  -o json | jq -r '.spec.template.spec.containers[0].image' | cut -d":" -f2
      1. Deploy portal access with Azure AD configuration:
      tenant_id=""
portal_domain=""
portal_access_uri=""
image_tag=""
helm upgrade --install cdrplatform-portal-access cdrplatform-portal-access \
  --set image.repository=glasswallacr.azurecr.io/cdrplatform-portal-access \
  --set image.tag="${image_tag:?}" \
  --set image.pullPolicy=IfNotPresent \
  --set ingress.tls.enabled=true \
  --set ingress.tls.domain=${portal_domain:?} \
  --set ingress.tls.secretName=tls-secret \
  --set cloud_provider=local \
  --set resources.requests.cpu=1 \
  --set resources.requests.memory=2Gi \
  --set resources.limits.cpu=1 \
  --set resources.limits.memory=2Gi \
  --set securityContext.seccompProfile.type=RuntimeDefault \
  --set configuration.AuthenticationScheme=Bearer \
  --set configuration.Authentication__Schemes__Bearer__ValidAudiences__0="${portal_access_uri}" \
  --set configuration.Authentication__Schemes__Bearer__ValidIssuer=https://sts.windows.net/${tenant_id:?}/ \
  --set configuration.Authentication__Schemes__Bearer__Authority=https://login.microsoftonline.com/${tenant_id}/v2.0/ \
  --atomic
      1. Now open the portal domain in a browser and click Login with SSO on the bottom left of the screen.
      2. Follow the login process via Azure AD and grant the App required permissions on behalf of the organisation for the first time.

      API Authentication

      API authentication can be configured in 2 ways:

      • Basic authentication
      • Bearer authentication

      Basic Authentication Installation

      1. SSH to the VM to run the below commands.

      2. The cdrplatform-api-access Helm chart is present in the /home/glasswall directory.

      3. Set credentials in the cluster by setting a username and password in the command below. Multiple passwords can be configured by separating them by a comma.

      secret_exists=$(kubectl get secret cdrplatform-secrets --ignore-not-found)
if [[ -z "$secret_exists" ]]; then
  kubectl create secret generic cdrplatform-secrets \
  --from-literal=organisation0-id=<username> \
  --from-literal=organisation0-tokens=<password>
else
  kubectl patch secret cdrplatform-secrets -p="{\"stringData\":{\"organisation0-id\": \"<username>\",\"organisation0-tokens\": \"<password>\"}}"
fi
      1. To set an API key for Menlo API create or update the cdrplatform-secrets with menlo-api-key.
        1. Make sure to set menlo_api_authentication value to ApiKey in the next step.
        2. Then the Base64 encoded value of ApiKey can be used as Bearer token in the Authorization header while making the requests to Menlo API.
      secret_exists=$(kubectl get secret cdrplatform-secrets --ignore-not-found)
if [[ -z "$secret_exists" ]]; then
  kubectl create secret generic cdrplatform-secrets \
  --from-literal=menlo-api-key=<menlo-api-key>
else
  kubectl patch secret cdrplatform-secrets -p="{\"stringData\":{\"menlo-api-key\": \"<menlo-api-key>\"}}"
fi
      1. Get the image tag of api-access running in the cluster. The output value of the command should be set to image_tag variable:
      k get deploy api-access  -o json | jq -r '.spec.template.spec.containers[0].image' | cut -d":" -f2
      1. Deploy api-access with Basic authentication:
      image_tag=""
menlo_api_authentication="None|ApiKey"
enable_tls="true|false"
api_domain="" # ignore if enable_tls is false
helm upgrade --install cdrplatform-api-access cdrplatform-api-access \
  --set image.tag="${image_tag:?}" \
  --set image.pullPolicy=IfNotPresent \
  --set image.repository="glasswallacr.azurecr.io/cdrplatform-api-access" \
  --set ingress.tls.enabled="${enable_tls:?}" \
  --set ingress.tls.domain="${api_domain}" \
  --set configuration.CLIENTS__Policy__BaseAddress="http://policy-api:8080" \
  --set configuration.CLIENTS__License__BaseAddress="http://license-management.license-management.svc.cluster.local:8080" \
  --set configuration.CLIENTS__AsyncApi__BaseAddress="http://async-api:8080" \
  --set configuration.AuthenticationScheme="Basic" \
  --set configuration.MenloAuthenticationScheme="${menlo_api_authentication}" \
  --set cloud_provider=local \
  --set resources.requests.cpu=1 \
  --set resources.requests.memory=3Gi \
  --set resources.limits.cpu=1 \
  --set resources.limits.memory=3Gi \
  --set securityContext.seccompProfile.type=RuntimeDefault \
  --atomic

      Bearer Authentication installation

      1. Identify the tenant_id for the Azure tenant to be used.

      2. SSH to the VM to run the below commands.

      3. The cdrplatform-api-access Helm chart should be present in the /home/glasswall directory.

      4. Get the image tag of api-access running in the cluster. The output value of the command should be set to image_tag variable:

      k get deploy api-access  -o json | jq -r '.spec.template.spec.containers[0].image' | cut -d":" -f2
      1. Deploy api-access with Azure AD configuration:
      tenant_id=""
api_valid_audience="api://cdrplatform-api-access"
image_tag=""
menlo_api_authentication="None|ApiKey"
enable_tls="true|false"
api_domain="" # ignore if enable_tls is false
helm upgrade --install cdrplatform-api-access cdrplatform-api-access \
  --set image.tag="${image_tag}" \
  --set image.pullPolicy=IfNotPresent \
  --set image.repository="glasswallacr.azurecr.io/cdrplatform-api-access" \
  --set ingress.tls.enabled="${enable_tls}" \
  --set ingress.tls.domain="${api_domain}" \
  --set configuration.CLIENTS__Policy__BaseAddress="http://policy-api:8080" \
  --set configuration.CLIENTS__License__BaseAddress="http://license-management.license-management.svc.cluster.local:8080" \
  --set configuration.CLIENTS__AsyncApi__BaseAddress="http://async-api:8080" \
  --set configuration.AuthenticationScheme="Bearer" \
  --set configuration.MenloAuthenticationScheme="${menlo_api_authentication}" \
  --set configuration.Authentication__Schemes__Bearer__ValidAudiences__0="${api_valid_audience}" \
  --set configuration.Authentication__Schemes__Bearer__ValidIssuer=https://sts.windows.net/${tenant_id}/ \
  --set configuration.Authentication__Schemes__Bearer__Authority=https://login.microsoftonline.com/${tenant_id}/v2.0/ \
  --set cloud_provider=local \
  --set resources.requests.cpu=1 \
  --set resources.requests.memory=3Gi \
  --set resources.limits.cpu=1 \
  --set resources.limits.memory=3Gi \
  --set securityContext.seccompProfile.type=RuntimeDefault \
  --atomic
      Was this article helpful?
      What's Next