Authentication
    • PDF

    Authentication

    • PDF

    Article summary

    Glasswall Halo's Portal supports SSO authentication using Azure AD. Follow below steps to setup integration with Azure AD

    Azure AD Authentication

    Prerequisites

    • Identify the domain name which needs to be configured for the Portal service to use the SSO authentication.
    • Identify the tenant_id for the Azure tenant to be used.
    • Ensure Azure CLI is installed in a machine and login using az login.

    Installation

    1. Run the attached shell script to create 3 App registrations and Enterprise applications. Note the outputs from the script which will be used in the next steps.

      • cdrplatform-api-access
      • cdrplatform-portal-access
      • cdrplatform-portal-client
    bash create-azure-app-registrations.sh cleanroom.glasswall.com
    
    1. SSH to the VM to run the commands below.

    2. The cdrplatform-portal and cdrplatform-portal-access Helm charts are present in the /home/glasswall directory.

    3. Get the image tag of portal-access running in the cluster. The output value of the command should be set to image_tag variable:

    k get deploy portal-access  -o json | jq -r '.spec.template.spec.containers[0].image' | cut -d":" -f2
    
    1. Deploy portal access with Azure AD configuration:
    tenant_id=""
    portal_domain=""
    portal_access_uri=""
    image_tag=""
    helm upgrade --install cdrplatform-portal-access cdrplatform-portal-access \
      --set image.repository=glasswallacr.azurecr.io/cdrplatform-portal-access \
      --set image.tag="${image_tag:?}" \
      --set image.pullPolicy=IfNotPresent \
      --set ingress.tls.enabled=true \
      --set ingress.tls.domain=${portal_domain:?} \
      --set ingress.tls.secretName=tls-secret \
      --set cloud_provider=local \
      --set resources.requests.cpu=1 \
      --set resources.requests.memory=2Gi \
      --set resources.limits.cpu=1 \
      --set resources.limits.memory=2Gi \
      --set securityContext.seccompProfile.type=RuntimeDefault \
      --set configuration.AuthenticationScheme=Bearer \
      --set configuration.Authentication__Schemes__Bearer__ValidAudiences__0="${portal_access_uri}" \
      --set configuration.Authentication__Schemes__Bearer__ValidIssuer=https://sts.windows.net/${tenant_id:?}/ \
      --set configuration.Authentication__Schemes__Bearer__Authority=https://login.microsoftonline.com/${tenant_id}/v2.0/ \
      --atomic
    
    1. Now open the portal domain in a browser and click Login with SSO on the bottom left of the screen.
    2. Follow the login process via Azure AD and grant the App required permissions on behalf of the organisation for the first time.

    API Authentication

    API authentication can be configured in 2 ways:

    • Basic authentication
    • Bearer authentication

    Basic Authentication Installation

    1. SSH to the VM to run the below commands.

    2. The cdrplatform-api-access Helm chart is present in the /home/glasswall directory.

    3. Set credentials in the cluster by setting a username and password in the command below. Multiple passwords can be configured by separating them by a comma.

    secret_exists=$(kubectl get secret cdrplatform-secrets --ignore-not-found)
    if [[ -z "$secret_exists" ]]; then
      kubectl create secret generic cdrplatform-secrets \
      --from-literal=organisation0-id=<username> \
      --from-literal=organisation0-tokens=<password>
    else
      kubectl patch secret cdrplatform-secrets -p="{\"stringData\":{\"organisation0-id\": \"<username>\",\"organisation0-tokens\": \"<password>\"}}"
    fi
    
    1. To set an API key for Menlo API create or update the cdrplatform-secrets with menlo-api-key.
      1. Make sure to set menlo_api_authentication value to ApiKey in the next step.
      2. Then the Base64 encoded value of ApiKey can be used as Bearer token in the Authorization header while making the requests to Menlo API.
    secret_exists=$(kubectl get secret cdrplatform-secrets --ignore-not-found)
    if [[ -z "$secret_exists" ]]; then
      kubectl create secret generic cdrplatform-secrets \
      --from-literal=menlo-api-key=<menlo-api-key>
    else
      kubectl patch secret cdrplatform-secrets -p="{\"stringData\":{\"menlo-api-key\": \"<menlo-api-key>\"}}"
    fi
    
    1. Get the image tag of api-access running in the cluster. The output value of the command should be set to image_tag variable:
    k get deploy api-access  -o json | jq -r '.spec.template.spec.containers[0].image' | cut -d":" -f2
    
    1. Deploy api-access with Basic authentication:
    image_tag=""
    menlo_api_authentication="None|ApiKey"
    enable_tls="true|false"
    api_domain="" # ignore if enable_tls is false
    helm upgrade --install cdrplatform-api-access cdrplatform-api-access \
      --set image.tag="${image_tag:?}" \
      --set image.pullPolicy=IfNotPresent \
      --set image.repository="glasswallacr.azurecr.io/cdrplatform-api-access" \
      --set ingress.tls.enabled="${enable_tls:?}" \
      --set ingress.tls.domain="${api_domain}" \
      --set configuration.CLIENTS__Policy__BaseAddress="http://policy-api:8080" \
      --set configuration.CLIENTS__License__BaseAddress="http://license-management.license-management.svc.cluster.local:8080" \
      --set configuration.CLIENTS__AsyncApi__BaseAddress="http://async-api:8080" \
      --set configuration.AuthenticationScheme="Basic" \
      --set configuration.MenloAuthenticationScheme="${menlo_api_authentication}" \
      --set cloud_provider=local \
      --set resources.requests.cpu=1 \
      --set resources.requests.memory=3Gi \
      --set resources.limits.cpu=1 \
      --set resources.limits.memory=3Gi \
      --set securityContext.seccompProfile.type=RuntimeDefault \
      --atomic
    
    

    Bearer Authentication installation

    1. Identify the tenant_id for the Azure tenant to be used.

    2. SSH to the VM to run the below commands.

    3. The cdrplatform-api-access Helm chart should be present in the /home/glasswall directory.

    4. Get the image tag of api-access running in the cluster. The output value of the command should be set to image_tag variable:

    k get deploy api-access  -o json | jq -r '.spec.template.spec.containers[0].image' | cut -d":" -f2
    
    1. Deploy api-access with Azure AD configuration:
    tenant_id=""
    api_valid_audience="api://cdrplatform-api-access"
    image_tag=""
    menlo_api_authentication="None|ApiKey"
    enable_tls="true|false"
    api_domain="" # ignore if enable_tls is false
    helm upgrade --install cdrplatform-api-access cdrplatform-api-access \
      --set image.tag="${image_tag}" \
      --set image.pullPolicy=IfNotPresent \
      --set image.repository="glasswallacr.azurecr.io/cdrplatform-api-access" \
      --set ingress.tls.enabled="${enable_tls}" \
      --set ingress.tls.domain="${api_domain}" \
      --set configuration.CLIENTS__Policy__BaseAddress="http://policy-api:8080" \
      --set configuration.CLIENTS__License__BaseAddress="http://license-management.license-management.svc.cluster.local:8080" \
      --set configuration.CLIENTS__AsyncApi__BaseAddress="http://async-api:8080" \
      --set configuration.AuthenticationScheme="Bearer" \
      --set configuration.MenloAuthenticationScheme="${menlo_api_authentication}" \
      --set configuration.Authentication__Schemes__Bearer__ValidAudiences__0="${api_valid_audience}" \
      --set configuration.Authentication__Schemes__Bearer__ValidIssuer=https://sts.windows.net/${tenant_id}/ \
      --set configuration.Authentication__Schemes__Bearer__Authority=https://login.microsoftonline.com/${tenant_id}/v2.0/ \
      --set cloud_provider=local \
      --set resources.requests.cpu=1 \
      --set resources.requests.memory=3Gi \
      --set resources.limits.cpu=1 \
      --set resources.limits.memory=3Gi \
      --set securityContext.seccompProfile.type=RuntimeDefault \
      --atomic
    

    Was this article helpful?