Contents x
Step 4 - Authentication
    • PDF
    Contents

    Step 4 - Authentication

      • PDF
      Article summary

      Prerequisites

      • To use SSO, select a domain for the Portal.
      • Identify the tenant_id for the desired Azure tenant.
      • Ensure the AZ CLI is installed, then login with az login.
      • Run the attached shell script to create 3 App registrations and Enterprise applications, then save the script outputs for the next steps.
        • cdrplatform-api-access
        • cdrplatform-portal-access
        • cdrplatform-portal-client
      bash create-azure-app-registrations.sh cleanroom.glasswall.com

      Portal Authentication Installation

      To set up SSO with Azure AD in Glasswall Halo's portal:

      1. SSH to the VM to run the commands below.

      Note: the cdrplatform-portal and cdrplatform-portal-access Helm charts are present in the /home/glasswall directory.

      1. Find the image tag of the portal in the cluster and set it as the image_tag variable.
      k get deploy portal  -o json | jq -r '.spec.template.spec.containers[0].image' | cut -d":" -f2
      1. Deploy the Portal with Azure AD settings, making sure to assign the correct values to the variables below.
      tenant_id=""
portal_domain=""
portal_client_id=""
portal_access_uri=""
image_tag=""
helm upgrade --install cdrplatform-portal cdrplatform-portal \
  --set image.repository=glasswallacr.azurecr.io/cdrplatform-portal \
  --set image.tag="${image_tag:?}" \
  --set image.pullPolicy=IfNotPresent \
  --set ingress.tls.enabled=true \
  --set ingress.tls.domain=${portal_domain:?} \
  --set ingress.tls.secretName=tls-secret \
  --set cloud_provider=local \
  --set resources.requests.cpu=500m \
  --set resources.requests.memory=500Mi \
  --set resources.limits.cpu=500m \
  --set resources.limits.memory=500Mi \
  --set securityContext.seccompProfile.type=RuntimeDefault \
  --set configuration.BackendScope="${portal_access_uri}/PortalUserScope" \
  --set configuration.BackendUrl="https://${portal_domain}" \
  --set configuration.EnabledPages="SystemSettings\,PolicySettings" \
  --set configuration.OIDC.ProviderOptions.Authority="https://login.microsoftonline.com/${tenant_id:?}/v2.0" \
  --set configuration.OIDC.ProviderOptions.RedirectUri="https://${portal_domain}/authentication/login-callback" \
  --set configuration.OIDC.ProviderOptions.ClientId="${portal_client_id}" \
  --set configuration.OIDC.ProviderOptions.PostLogoutRedirectUri="https://${portal_domain}/authentication/logout-callback" \
  --atomic
      1. Find the image tag of portal-access in the cluster and set it as the image_tag variable.
      k get deploy portal-access  -o json | jq -r '.spec.template.spec.containers[0].image' | cut -d":" -f2
      1. Deploy Portal Access with Azure AD configuration.
      tenant_id=""
portal_domain=""
portal_access_uri=""
image_tag=""
helm upgrade --install cdrplatform-portal-access cdrplatform-portal-access \
  --set image.repository=glasswallacr.azurecr.io/cdrplatform-portal-access \
  --set image.tag="${image_tag:?}" \
  --set image.pullPolicy=IfNotPresent \
  --set ingress.tls.enabled=true \
  --set ingress.tls.domain=${portal_domain:?} \
  --set ingress.tls.secretName=tls-secret \
  --set cloud_provider=local \
  --set resources.requests.cpu=1 \
  --set resources.requests.memory=2Gi \
  --set resources.limits.cpu=1 \
  --set resources.limits.memory=2Gi \
  --set securityContext.seccompProfile.type=RuntimeDefault \
  --set configuration.AuthenticationScheme=Bearer \
  --set configuration.Authentication__Schemes__Bearer__ValidAudiences__0="${portal_access_uri}" \
  --set configuration.Authentication__Schemes__Bearer__ValidIssuer=https://sts.windows.net/${tenant_id:?}/ \
  --set configuration.Authentication__Schemes__Bearer__Authority=https://login.microsoftonline.com/${tenant_id}/v2.0/ \
  --atomic

      1. Open the portal domain in a browser and click Login with SSO at the bottom left.

      2. Log in through Azure AD and grant the App permissions for the organization.

      API Authentication

      API authentication can be configured in 2 ways:

      Basic Authentication installation

      1. SSH to the VM to run the commands below.

      Note: the cdrplatform-api-access helm chart is present in the /home/glasswall directory.

      1. Set the username and password in the command below. Use commas to separate multiple passwords.
      secret_exists=$(kubectl get secret cdrplatform-secrets --ignore-not-found)
if [[ -z "$secret_exists" ]]; then
  kubectl create secret generic cdrplatform-secrets \
  --from-literal=organisation0-id=<username> \
  --from-literal=organisation0-tokens=<password>
else
  kubectl patch secret cdrplatform-secrets -p="{\"stringData\":{\"organisation0-id\": \"<username>\",\"organisation0-tokens\": \"<password>\"}}"
fi
      1. To set an API key for Menlo, create or update the cdrplatform-secrets with menlo-api-key. Set the menlo_api_authentication value to ApiKey in the next step. Use the base64 encoded value of the ApiKey as a Bearer token in the Authorization header when making requests to the Menlo API.
      secret_exists=$(kubectl get secret cdrplatform-secrets --ignore-not-found)
if [[ -z "$secret_exists" ]]; then
  kubectl create secret generic cdrplatform-secrets \
  --from-literal=menlo-api-key=<menlo-api-key>
else
  kubectl patch secret cdrplatform-secrets -p="{\"stringData\":{\"menlo-api-key\": \"<menlo-api-key>\"}}"
fi
      1. Find the image tag of api-access in the cluster and set it as the image_tag variable.
      k get deploy api-access  -o json | jq -r '.spec.template.spec.containers[0].image' | cut -d":" -f2
      1. Deploy api-access with Basic authentication.
      image_tag=""
menlo_api_authentication="None|ApiKey"
enable_tls="true|false"
api_domain="" # ignore if enable_tls is false
helm upgrade --install cdrplatform-api-access cdrplatform-api-access \
  --set image.tag="${image_tag:?}" \
  --set image.pullPolicy=IfNotPresent \
  --set image.repository="glasswallacr.azurecr.io/cdrplatform-api-access" \
  --set ingress.tls.enabled="${enable_tls:?}" \
  --set ingress.tls.domain="${api_domain}" \
  --set configuration.CLIENTS__Policy__BaseAddress="http://policy-api:8080" \
  --set configuration.CLIENTS__License__BaseAddress="http://license-management.license-management.svc.cluster.local:8080" \
  --set configuration.CLIENTS__AsyncApi__BaseAddress="http://async-api:8080" \
  --set configuration.AuthenticationScheme="Basic" \
  --set configuration.MenloAuthenticationScheme="${menlo_api_authentication}" \
  --set cloud_provider=local \
  --set resources.requests.cpu=1 \
  --set resources.requests.memory=3Gi \
  --set resources.limits.cpu=1 \
  --set resources.limits.memory=3Gi \
  --set securityContext.seccompProfile.type=RuntimeDefault \
  --atomic

      Bearer Authentication installation

      1. Identify the tenant_id for the desired Azure tenant.

      2. SSH to the VM to run the commands below.

      Note: the cdrplatform-api-access helm chart should be present in the /home/glasswall directory.

      1. Get the api-access image tag from the cluster and set it as the image_tag variable.
      k get deploy api-access  -o json | jq -r '.spec.template.spec.containers[0].image' | cut -d":" -f2
      1. Deploy api-access with Azure AD configuration.
      tenant_id=""
api_valid_audience="api://cdrplatform-api-access"
image_tag=""
menlo_api_authentication="None|ApiKey"
enable_tls="true|false"
api_domain="" # ignore if enable_tls is false
helm upgrade --install cdrplatform-api-access cdrplatform-api-access \
  --set image.tag="${image_tag}" \
  --set image.pullPolicy=IfNotPresent \
  --set image.repository="glasswallacr.azurecr.io/cdrplatform-api-access" \
  --set ingress.tls.enabled="${enable_tls}" \
  --set ingress.tls.domain="${api_domain}" \
  --set configuration.CLIENTS__Policy__BaseAddress="http://policy-api:8080" \
  --set configuration.CLIENTS__License__BaseAddress="http://license-management.license-management.svc.cluster.local:8080" \
  --set configuration.CLIENTS__AsyncApi__BaseAddress="http://async-api:8080" \
  --set configuration.AuthenticationScheme="Bearer" \
  --set configuration.MenloAuthenticationScheme="${menlo_api_authentication}" \
  --set configuration.Authentication__Schemes__Bearer__ValidAudiences__0="${api_valid_audience}" \
  --set configuration.Authentication__Schemes__Bearer__ValidIssuer=https://sts.windows.net/${tenant_id}/ \
  --set configuration.Authentication__Schemes__Bearer__Authority=https://login.microsoftonline.com/${tenant_id}/v2.0/ \
  --set cloud_provider=local \
  --set resources.requests.cpu=1 \
  --set resources.requests.memory=3Gi \
  --set resources.limits.cpu=1 \
  --set resources.limits.memory=3Gi \
  --set securityContext.seccompProfile.type=RuntimeDefault \
  --atomic


      Congratulations, you have successfully deployed Glasswall Halo! We would love to get your thoughts on the setup process and how we can improve it, using the feedback option below.

      Was this article helpful?
      What's Next