Note: this page is for integrating Halo portal SSO login with Azure Entra ID.
Prerequisites
- To use SSO, select a domain for the Portal.
- Identify the
tenant_id
for the desired AWS tenant. - Ensure the AZ CLI is installed, then login with
az login
. - Run the attached shell script to create 3 App registrations and Enterprise applications, then save the script outputs for the next steps.
- cdrplatform-api-access
- cdrplatform-portal-access
- cdrplatform-portal-client
bash create-azure-app-registrations.sh cleanroom.glasswall.com
Portal Authentication Installation
To set up SSO with AWS in Glasswall Halo's portal:
- SSH to the VM to run the commands below.
Note: the cdrplatform-portal and cdrplatform-portal-access Helm charts are present in the /home/glasswall
directory.
- Find the image tag of the portal in the cluster and set it as the
image_tag
variable.
k get deploy portal -o json | jq -r '.spec.template.spec.containers[0].image' | cut -d":" -f2
- Deploy the Portal with AWS IAM settings, making sure to assign the correct values to the variables below.
tenant_id=""
portal_domain=""
portal_client_id=""
portal_access_uri=""
image_tag=""
helm upgrade --install cdrplatform-portal cdrplatform-portal \
--set image.repository=glasswallacr.azurecr.io/cdrplatform-portal \
--set image.tag="${image_tag:?}" \
--set image.pullPolicy=IfNotPresent \
--set ingress.tls.enabled=true \
--set ingress.tls.domain=${portal_domain:?} \
--set ingress.tls.secretName=tls-secret \
--set cloud_provider=local \
--set resources.requests.cpu=500m \
--set resources.requests.memory=500Mi \
--set resources.limits.cpu=500m \
--set resources.limits.memory=500Mi \
--set securityContext.seccompProfile.type=RuntimeDefault \
--set configuration.BackendScope="${portal_access_uri}/PortalUserScope" \
--set configuration.BackendUrl="https://${portal_domain}" \
--set configuration.EnabledPages="SystemSettings\,PolicySettings" \
--set configuration.OIDC.ProviderOptions.Authority="https://login.microsoftonline.com/${tenant_id:?}/v2.0" \
--set configuration.OIDC.ProviderOptions.RedirectUri="https://${portal_domain}/authentication/login-callback" \
--set configuration.OIDC.ProviderOptions.ClientId="${portal_client_id}" \
--set configuration.OIDC.ProviderOptions.PostLogoutRedirectUri="https://${portal_domain}/authentication/logout-callback" \
--atomic
- Find the image tag of portal-access in the cluster and set it as the
image_tag
variable.
k get deploy portal-access -o json | jq -r '.spec.template.spec.containers[0].image' | cut -d":" -f2
- Deploy Portal Access with AWS IAM configuration.
tenant_id=""
portal_domain=""
portal_access_uri=""
image_tag=""
helm upgrade --install cdrplatform-portal-access cdrplatform-portal-access \
--set image.repository=glasswallacr.azurecr.io/cdrplatform-portal-access \
--set image.tag="${image_tag:?}" \
--set image.pullPolicy=IfNotPresent \
--set ingress.tls.enabled=true \
--set ingress.tls.domain=${portal_domain:?} \
--set ingress.tls.secretName=tls-secret \
--set cloud_provider=local \
--set resources.requests.cpu=1 \
--set resources.requests.memory=2Gi \
--set resources.limits.cpu=1 \
--set resources.limits.memory=2Gi \
--set securityContext.seccompProfile.type=RuntimeDefault \
--set configuration.AuthenticationScheme=Bearer \
--set configuration.Authentication__Schemes__Bearer__ValidAudiences__0="${portal_access_uri}" \
--set configuration.Authentication__Schemes__Bearer__ValidIssuer=https://sts.windows.net/${tenant_id:?}/ \
--set configuration.Authentication__Schemes__Bearer__Authority=https://login.microsoftonline.com/${tenant_id}/v2.0/ \
--atomic
-
Open the portal domain in a browser and click Login with SSO at the bottom left.
-
Log in through Azure AD and grant the App permissions for the organization.
API Authentication
API authentication can be configured in 2 ways:
Basic Authentication installation
- SSH to the VM to run the commands below.
Note: the cdrplatform-api-access helm chart is present in the /home/glasswall
directory.
- Set the username and password in the command below. Use commas to separate multiple passwords.
secret_exists=$(kubectl get secret cdrplatform-secrets --ignore-not-found)
if [[ -z "$secret_exists" ]]; then
kubectl create secret generic cdrplatform-secrets \
--from-literal=organisation0-id=<username> \
--from-literal=organisation0-tokens=<password>
else
kubectl patch secret cdrplatform-secrets -p="{\"stringData\":{\"organisation0-id\": \"<username>\",\"organisation0-tokens\": \"<password>\"}}"
fi
- Find the image tag of api-access in the cluster and set it as the
image_tag
variable.
k get deploy api-access -o json | jq -r '.spec.template.spec.containers[0].image' | cut -d":" -f2
- Deploy api-access with Basic authentication.
image_tag=""
enable_tls="true|false"
api_domain="" # ignore if enable_tls is false
helm upgrade --install cdrplatform-api-access cdrplatform-api-access \
--set image.tag="${image_tag:?}" \
--set image.pullPolicy=IfNotPresent \
--set image.repository="glasswallacr.azurecr.io/cdrplatform-api-access" \
--set ingress.tls.enabled="${enable_tls:?}" \
--set ingress.tls.domain="${api_domain}" \
--set configuration.CLIENTS__Policy__BaseAddress="http://policy-api:8080" \
--set configuration.CLIENTS__License__BaseAddress="http://license-management.license-management.svc.cluster.local:8080" \
--set configuration.CLIENTS__AsyncApi__BaseAddress="http://async-api:8080" \
--set configuration.AuthenticationScheme="Basic" \
--set cloud_provider=local \
--set resources.requests.cpu=1 \
--set resources.requests.memory=3Gi \
--set resources.limits.cpu=1 \
--set resources.limits.memory=3Gi \
--set securityContext.seccompProfile.type=RuntimeDefault \
--atomic
Bearer Authentication installation
-
Identify the
tenant_id
for the desired Azure tenant. -
SSH to the VM to run the commands below.
Note: the cdrplatform-api-access helm chart should be present in the /home/glasswall
directory.
- Get the api-access image tag from the cluster and set it as the
image_tag
variable.
k get deploy api-access -o json | jq -r '.spec.template.spec.containers[0].image' | cut -d":" -f2
- Deploy api-access with Azure AD configuration.
tenant_id=""
api_valid_audience="api://cdrplatform-api-access"
image_tag=""
enable_tls="true|false"
api_domain="" # ignore if enable_tls is false
helm upgrade --install cdrplatform-api-access cdrplatform-api-access \
--set image.tag="${image_tag}" \
--set image.pullPolicy=IfNotPresent \
--set image.repository="glasswallacr.azurecr.io/cdrplatform-api-access" \
--set ingress.tls.enabled="${enable_tls}" \
--set ingress.tls.domain="${api_domain}" \
--set configuration.CLIENTS__Policy__BaseAddress="http://policy-api:8080" \
--set configuration.CLIENTS__License__BaseAddress="http://license-management.license-management.svc.cluster.local:8080" \
--set configuration.CLIENTS__AsyncApi__BaseAddress="http://async-api:8080" \
--set configuration.AuthenticationScheme="Bearer" \
--set configuration.Authentication__Schemes__Bearer__ValidAudiences__0="${api_valid_audience}" \
--set configuration.Authentication__Schemes__Bearer__ValidIssuer=https://sts.windows.net/${tenant_id}/ \
--set configuration.Authentication__Schemes__Bearer__Authority=https://login.microsoftonline.com/${tenant_id}/v2.0/ \
--set cloud_provider=local \
--set resources.requests.cpu=1 \
--set resources.requests.memory=3Gi \
--set resources.limits.cpu=1 \
--set resources.limits.memory=3Gi \
--set securityContext.seccompProfile.type=RuntimeDefault \
--atomic
Congratulations, you have successfully deployed Glasswall Halo! We would love to get your thoughts on the setup process and how we can improve it, using the feedback option below.