Skip to main content
Version: 2.16.0

Step 4 - Authentication

Note: this page is for integrating the Halo Portal SSO login with Azure Entra ID.

Prerequisites

  • To use SSO, select a domain for the Portal.
  • Identify the tenant_id for the desired AWS tenant.
  • Ensure the Azure CLI is installed in a machine and login using az login.
  • Run the attached shell script to create 3 app registrations and enterprise applications. Make a note of the outputs from the script which will be used in the next steps:
    • cdrplatform-api-access
    • cdrplatform-portal-access
    • cdrplatform-portal-client
bash create-azure-app-registrations.sh cleanroom.glasswall.com

Portal authentication installation

To set up SSO with AWS in Glasswall Halo's portal:

  1. SSH to the VM to run the below commands.
  • Note: The cdrplatform-portal and cdrplatform-portal-access helm charts are present in the /home/glasswall directory.
  1. Find the image tag of the portal in the cluster and set it as theimage_tagVariable.
k get deploy portal  -o json | jq -r '.spec.template.spec.containers[0].image' | cut -d":" -f2
  1. Deploy the portal with AWS IAM settings, making sure to assign the correct values to the variables below.
tenant_id=""
portal_domain=""
portal_client_id=""
portal_access_uri=""
image_tag=""
helm upgrade --install cdrplatform-portal cdrplatform-portal \
  --set image.repository=glasswallacr.azurecr.io/cdrplatform-portal \
  --set image.tag="${image_tag:?}" \
  --set image.pullPolicy=IfNotPresent \
  --set ingress.tls.enabled=true \
  --set ingress.tls.domain=${portal_domain:?} \
  --set ingress.tls.secretName=tls-secret \
  --set cloud_provider=local \
  --set resources.requests.cpu=500m \
  --set resources.requests.memory=500Mi \
  --set resources.limits.cpu=500m \
  --set resources.limits.memory=500Mi \
  --set securityContext.seccompProfile.type=RuntimeDefault \
  --set configuration.BackendScope="${portal_access_uri}/PortalUserScope" \
  --set configuration.BackendUrl="https://${portal_domain}" \
  --set configuration.EnabledPages="SystemSettings\,PolicySettings" \
  --set configuration.OIDC.ProviderOptions.Authority="https://login.microsoftonline.com/${tenant_id:?}/v2.0" \
  --set configuration.OIDC.ProviderOptions.RedirectUri="https://${portal_domain}/authentication/login-callback" \
  --set configuration.OIDC.ProviderOptions.ClientId="${portal_client_id}" \
  --set configuration.OIDC.ProviderOptions.PostLogoutRedirectUri="https://${portal_domain}/authentication/logout-callback" \
  --atomic
  1. Find the image tag of portal-access in the cluster and set it as theimage_tagVariable.
k get deploy portal-access  -o json | jq -r '.spec.template.spec.containers[0].image' | cut -d":" -f2
  1. Deploy portal access with Azure AD configuration:
tenant_id=""
portal_domain=""
portal_access_uri=""
image_tag=""
helm upgrade --install cdrplatform-portal-access cdrplatform-portal-access \
  --set image.repository=glasswallacr.azurecr.io/cdrplatform-portal-access \
  --set image.tag="${image_tag:?}" \
  --set image.pullPolicy=IfNotPresent \
  --set ingress.tls.enabled=true \
  --set ingress.tls.domain=${portal_domain:?} \
  --set ingress.tls.secretName=tls-secret \
  --set cloud_provider=local \
  --set resources.requests.cpu=1 \
  --set resources.requests.memory=2Gi \
  --set resources.limits.cpu=1 \
  --set resources.limits.memory=2Gi \
  --set securityContext.seccompProfile.type=RuntimeDefault \
  --set configuration.AuthenticationScheme=Bearer \
  --set configuration.Authentication__Schemes__Bearer__ValidAudiences__0="${portal_access_uri}" \
  --set configuration.Authentication__Schemes__Bearer__ValidIssuer=https://sts.windows.net/${tenant_id:?}/ \
  --set configuration.Authentication__Schemes__Bearer__Authority=https://login.microsoftonline.com/${tenant_id}/v2.0/ \
  --atomic

  1. Open the portal domain in a browser and click Login with SSO in the bottom left.

  2. Log in through Azure AD and grant the app permissions for the organization.

API authentication

API authentication can be configured in 2 ways:

Basic authentication installation

  1. SSH to the VM to run the commands below.

Note: the cdrplatform-api-access Helm chart is present in the /home/glasswall directory.

  1. Set the Username and Password in the command below. Use commas to separate multiple passwords.
bash add_secrets.sh organisation0-id <username>
bash add_secrets.sh organisation0-tokens <password>
  1. Deploy API-access with basic authentication.
image_tag=$(k get deploy api-access  -o json | jq -r '.spec.template.spec.containers[0].image' | cut -d":" -f2)
enable_tls="true" OR "false"
api_domain="" # ignore if enable_tls is false
helm upgrade --install cdrplatform-api-access cdrplatform-api-access \
  --set image.tag="${image_tag:?}" \
  --set image.pullPolicy=IfNotPresent \
  --set image.repository="glasswallacr.azurecr.io/cdrplatform-api-access" \
  --set ingress.tls.enabled="${enable_tls:?}" \
  --set ingress.tls.domain="${api_domain}" \
  --set configuration.CLIENTS__Policy__BaseAddress="http://policy-api:8080" \
  --set configuration.CLIENTS__License__BaseAddress="http://license-management.license-management.svc.cluster.local:8080" \
  --set configuration.CLIENTS__AsyncApi__BaseAddress="http://async-api:8080" \
  --set configuration.AuthenticationScheme="Basic" \
  --set cloud_provider=local \
  --set resources.requests.cpu=1 \
  --set resources.requests.memory=3Gi \
  --set resources.limits.cpu=1 \
  --set resources.limits.memory=3Gi \
  --set securityContext.seccompProfile.type=RuntimeDefault \
  --atomic

Bearer authentication installation

  1. Identify the tenant_id for the desired Azure tenant.

  2. SSH to the VM to run the commands below.

Note: the cdrplatform-API-access Helm chart should be present in the /home/glasswall directory.

  1. Deploy API-access with Azure AD configuration.
tenant_id=""
api_valid_audience="api://cdrplatform-api-access"
image_tag=$(k get deploy api-access  -o json | jq -r '.spec.template.spec.containers[0].image' | cut -d":" -f2)
enable_tls="true" OR "false"
api_domain="" # ignore if enable_tls is false
helm upgrade --install cdrplatform-api-access cdrplatform-api-access \
  --set image.tag="${image_tag}" \
  --set image.pullPolicy=IfNotPresent \
  --set image.repository="glasswallacr.azurecr.io/cdrplatform-api-access" \
  --set ingress.tls.enabled="${enable_tls}" \
  --set ingress.tls.domain="${api_domain}" \
  --set configuration.CLIENTS__Policy__BaseAddress="http://policy-api:8080" \
  --set configuration.CLIENTS__License__BaseAddress="http://license-management.license-management.svc.cluster.local:8080" \
  --set configuration.CLIENTS__AsyncApi__BaseAddress="http://async-api:8080" \
  --set configuration.AuthenticationScheme="Bearer" \
  --set configuration.Authentication__Schemes__Bearer__ValidAudiences__0="${api_valid_audience}" \
  --set configuration.Authentication__Schemes__Bearer__ValidIssuer=https://sts.windows.net/${tenant_id}/ \
  --set configuration.Authentication__Schemes__Bearer__Authority=https://login.microsoftonline.com/${tenant_id}/v2.0/ \
  --set cloud_provider=local \
  --set resources.requests.cpu=1 \
  --set resources.requests.memory=3Gi \
  --set resources.limits.cpu=1 \
  --set resources.limits.memory=3Gi \
  --set securityContext.seccompProfile.type=RuntimeDefault \
  --atomic

Congratulations, you have successfully deployed Glasswall Halo!

Last updated on