**Note:** this page is for integrating the Halo Portal SSO login with Azure Entra ID. ## Prerequisites - To use SSO, select a domain for the Portal. - Identify the `tenant_id` for the desired AWS tenant. - Ensure the [Azure CLI](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli) is installed in a machine and login using `az login`. - Run the [attached shell script](/.attachments/create-azure-app-registrations.sh) to create 3 app registrations and enterprise applications. Make a note of the outputs from the script which will be used in the next steps: - cdrplatform-api-access - cdrplatform-portal-access - cdrplatform-portal-client ```sh bash create-azure-app-registrations.sh cleanroom.glasswall.com ``` By default the script creates all 3 registrations. To set up only one type of authentication, pass `--skip-api` to create just the Portal registrations, or `--skip-portal` to create just the API registration: ```sh # Portal SSO only (skips api-access) bash create-azure-app-registrations.sh --skip-api cleanroom.glasswall.com # API authentication only (skips portal-access and portal-client) bash create-azure-app-registrations.sh --skip-portal ``` ## Portal authentication installation To set up SSO with AWS in Glasswall Halo's portal: 1. SSH to the VM to run the below commands. - **Note:** The cdrplatform-portal and cdrplatform-portal-access helm charts are present in the `/home/glasswall` directory. 2. Find the image tag of the portal in the cluster and set it as the`image_tag`Variable. ```sh k get deploy portal -o json | jq -r '.spec.template.spec.containers[0].image' | cut -d":" -f2 ``` 3. Deploy the portal with AWS IAM settings, making sure to assign the correct values to the variables below. ```sh tenant_id="" portal_domain="" portal_client_id="" portal_access_uri="" image_tag="" helm upgrade --install cdrplatform-portal cdrplatform-portal \ --set image.repository=glasswallacr.azurecr.io/cdrplatform-portal \ --set image.tag="${image_tag:?}" \ --set image.pullPolicy=IfNotPresent \ --set ingress.tls.enabled=true \ --set ingress.tls.domain=${portal_domain:?} \ --set ingress.tls.secretName=tls-secret \ --set cloud_provider=local \ --set resources.requests.cpu=500m \ --set resources.requests.memory=500Mi \ --set resources.limits.cpu=500m \ --set resources.limits.memory=500Mi \ --set securityContext.seccompProfile.type=RuntimeDefault \ --set configuration.BackendScope="${portal_access_uri}/PortalUserScope" \ --set configuration.BackendUrl="https://${portal_domain}" \ --set configuration.EnabledPages="SystemSettings\,PolicySettings" \ --set configuration.OIDC.ProviderOptions.Authority="https://login.microsoftonline.com/${tenant_id:?}/v2.0" \ --set configuration.OIDC.ProviderOptions.RedirectUri="https://${portal_domain}/authentication/login-callback" \ --set configuration.OIDC.ProviderOptions.ClientId="${portal_client_id}" \ --set configuration.OIDC.ProviderOptions.PostLogoutRedirectUri="https://${portal_domain}/authentication/logout-callback" \ --atomic ``` 4. Find the image tag of portal-access in the cluster and set it as the`image_tag`Variable. ```sh k get deploy portal-access -o json | jq -r '.spec.template.spec.containers[0].image' | cut -d":" -f2 ``` 5. Deploy portal access with Azure AD configuration: ```sh tenant_id="" portal_domain="" portal_access_uri="" image_tag="" helm upgrade --install cdrplatform-portal-access cdrplatform-portal-access \ --set image.repository=glasswallacr.azurecr.io/cdrplatform-portal-access \ --set image.tag="${image_tag:?}" \ --set image.pullPolicy=IfNotPresent \ --set ingress.tls.enabled=true \ --set ingress.tls.domain=${portal_domain:?} \ --set ingress.tls.secretName=tls-secret \ --set cloud_provider=local \ --set resources.requests.cpu=1 \ --set resources.requests.memory=2Gi \ --set resources.limits.cpu=1 \ --set resources.limits.memory=2Gi \ --set securityContext.seccompProfile.type=RuntimeDefault \ --set configuration.AuthenticationScheme=Bearer \ --set configuration.Authentication__Schemes__Bearer__ValidAudiences__0="${portal_access_uri}" \ --set configuration.Authentication__Schemes__Bearer__ValidIssuer=https://sts.windows.net/${tenant_id:?}/ \ --set configuration.Authentication__Schemes__Bearer__Authority=https://login.microsoftonline.com/${tenant_id}/v2.0/ \ --atomic ``` 6. Open the portal domain in a browser and click **Login with SSO** in the bottom left. 7. Log in through Azure AD and grant the app permissions for the organization. ## API authentication API authentication can be configured in 2 ways: - [Basic authentication](#basic-authentication-installation) - [Bearer authentication](#bearer-authentication-installation) ### Basic authentication installation 1. SSH to the VM to run the commands below. **Note:** the cdrplatform-api-access Helm chart is present in the `/home/glasswall` directory. 2. Set the **Username** and **Password** in the command below. Use commas to separate multiple passwords. ```sh bash add_secrets.sh organisation0-id bash add_secrets.sh organisation0-tokens ``` 3. Deploy API-access with basic authentication. ```sh image_tag=$(k get deploy api-access -o json | jq -r '.spec.template.spec.containers[0].image' | cut -d":" -f2) enable_tls="true" OR "false" api_domain="" # ignore if enable_tls is false helm upgrade --install cdrplatform-api-access cdrplatform-api-access \ --set image.tag="${image_tag:?}" \ --set image.pullPolicy=IfNotPresent \ --set image.repository="glasswallacr.azurecr.io/cdrplatform-api-access" \ --set ingress.tls.enabled="${enable_tls:?}" \ --set ingress.tls.domain="${api_domain}" \ --set configuration.CLIENTS__Policy__BaseAddress="http://policy-api:8080" \ --set configuration.CLIENTS__License__BaseAddress="http://license-management.license-management.svc.cluster.local:8080" \ --set configuration.CLIENTS__AsyncApi__BaseAddress="http://async-api:8080" \ --set configuration.AuthenticationScheme="Basic" \ --set cloud_provider=local \ --set resources.requests.cpu=1 \ --set resources.requests.memory=3Gi \ --set resources.limits.cpu=1 \ --set resources.limits.memory=3Gi \ --set securityContext.seccompProfile.type=RuntimeDefault \ --atomic ``` ### Bearer authentication installation 1. Identify the `tenant_id` for the desired Azure tenant. 2. SSH to the VM to run the commands below. **Note:** the cdrplatform-API-access Helm chart should be present in the `/home/glasswall` directory. 4. Deploy API-access with Azure AD configuration. ```sh tenant_id="" api_valid_audience="api://cdrplatform-api-access" image_tag=$(k get deploy api-access -o json | jq -r '.spec.template.spec.containers[0].image' | cut -d":" -f2) enable_tls="true" OR "false" api_domain="" # ignore if enable_tls is false helm upgrade --install cdrplatform-api-access cdrplatform-api-access \ --set image.tag="${image_tag}" \ --set image.pullPolicy=IfNotPresent \ --set image.repository="glasswallacr.azurecr.io/cdrplatform-api-access" \ --set ingress.tls.enabled="${enable_tls}" \ --set ingress.tls.domain="${api_domain}" \ --set configuration.CLIENTS__Policy__BaseAddress="http://policy-api:8080" \ --set configuration.CLIENTS__License__BaseAddress="http://license-management.license-management.svc.cluster.local:8080" \ --set configuration.CLIENTS__AsyncApi__BaseAddress="http://async-api:8080" \ --set configuration.AuthenticationScheme="Bearer" \ --set configuration.Authentication__Schemes__Bearer__ValidAudiences__0="${api_valid_audience}" \ --set configuration.Authentication__Schemes__Bearer__ValidIssuer=https://sts.windows.net/${tenant_id}/ \ --set configuration.Authentication__Schemes__Bearer__Authority=https://login.microsoftonline.com/${tenant_id}/v2.0/ \ --set cloud_provider=local \ --set resources.requests.cpu=1 \ --set resources.requests.memory=3Gi \ --set resources.limits.cpu=1 \ --set resources.limits.memory=3Gi \ --set securityContext.seccompProfile.type=RuntimeDefault \ --atomic ``` * * * Congratulations, you have successfully deployed Glasswall Halo!