Step 4 - Authentication

Prev Next

Note: this page is for integrating Halo portal SSO login with Azure Entra ID.

Prerequisites

  • To use SSO, select a domain for the Portal.
  • Identify the tenant_id for the desired AWS tenant.
  • Ensure the AZ CLI is installed, then login with az login.
  • Run the attached shell script to create 3 App registrations and Enterprise applications, then save the script outputs for the next steps.
    • cdrplatform-api-access
    • cdrplatform-portal-access
    • cdrplatform-portal-client
bash create-azure-app-registrations.sh cleanroom.glasswall.com

Portal Authentication Installation

To set up SSO with AWS in Glasswall Halo's portal:

  1. SSH to the VM to run the commands below.

Note: the cdrplatform-portal and cdrplatform-portal-access Helm charts are present in the /home/glasswall directory.

  1. Find the image tag of the portal in the cluster and set it as the image_tag variable.
k get deploy portal  -o json | jq -r '.spec.template.spec.containers[0].image' | cut -d":" -f2
  1. Deploy the Portal with AWS IAM settings, making sure to assign the correct values to the variables below.
tenant_id=""
portal_domain=""
portal_client_id=""
portal_access_uri=""
image_tag=""
helm upgrade --install cdrplatform-portal cdrplatform-portal \
  --set image.repository=glasswallacr.azurecr.io/cdrplatform-portal \
  --set image.tag="${image_tag:?}" \
  --set image.pullPolicy=IfNotPresent \
  --set ingress.tls.enabled=true \
  --set ingress.tls.domain=${portal_domain:?} \
  --set ingress.tls.secretName=tls-secret \
  --set cloud_provider=local \
  --set resources.requests.cpu=500m \
  --set resources.requests.memory=500Mi \
  --set resources.limits.cpu=500m \
  --set resources.limits.memory=500Mi \
  --set securityContext.seccompProfile.type=RuntimeDefault \
  --set configuration.BackendScope="${portal_access_uri}/PortalUserScope" \
  --set configuration.BackendUrl="https://${portal_domain}" \
  --set configuration.EnabledPages="SystemSettings\,PolicySettings" \
  --set configuration.OIDC.ProviderOptions.Authority="https://login.microsoftonline.com/${tenant_id:?}/v2.0" \
  --set configuration.OIDC.ProviderOptions.RedirectUri="https://${portal_domain}/authentication/login-callback" \
  --set configuration.OIDC.ProviderOptions.ClientId="${portal_client_id}" \
  --set configuration.OIDC.ProviderOptions.PostLogoutRedirectUri="https://${portal_domain}/authentication/logout-callback" \
  --atomic
  1. Find the image tag of portal-access in the cluster and set it as the image_tag variable.
k get deploy portal-access  -o json | jq -r '.spec.template.spec.containers[0].image' | cut -d":" -f2
  1. Deploy Portal Access with AWS IAM configuration.
tenant_id=""
portal_domain=""
portal_access_uri=""
image_tag=""
helm upgrade --install cdrplatform-portal-access cdrplatform-portal-access \
  --set image.repository=glasswallacr.azurecr.io/cdrplatform-portal-access \
  --set image.tag="${image_tag:?}" \
  --set image.pullPolicy=IfNotPresent \
  --set ingress.tls.enabled=true \
  --set ingress.tls.domain=${portal_domain:?} \
  --set ingress.tls.secretName=tls-secret \
  --set cloud_provider=local \
  --set resources.requests.cpu=1 \
  --set resources.requests.memory=2Gi \
  --set resources.limits.cpu=1 \
  --set resources.limits.memory=2Gi \
  --set securityContext.seccompProfile.type=RuntimeDefault \
  --set configuration.AuthenticationScheme=Bearer \
  --set configuration.Authentication__Schemes__Bearer__ValidAudiences__0="${portal_access_uri}" \
  --set configuration.Authentication__Schemes__Bearer__ValidIssuer=https://sts.windows.net/${tenant_id:?}/ \
  --set configuration.Authentication__Schemes__Bearer__Authority=https://login.microsoftonline.com/${tenant_id}/v2.0/ \
  --atomic
  1. Open the portal domain in a browser and click Login with SSO at the bottom left.

  2. Log in through Azure AD and grant the App permissions for the organization.

API Authentication

API authentication can be configured in 2 ways:

Basic Authentication installation

  1. SSH to the VM to run the commands below.

Note: the cdrplatform-api-access helm chart is present in the /home/glasswall directory.

  1. Set the username and password in the command below. Use commas to separate multiple passwords.
secret_exists=$(kubectl get secret cdrplatform-secrets --ignore-not-found)
if [[ -z "$secret_exists" ]]; then
  kubectl create secret generic cdrplatform-secrets \
  --from-literal=organisation0-id=<username> \
  --from-literal=organisation0-tokens=<password>
else
  kubectl patch secret cdrplatform-secrets -p="{\"stringData\":{\"organisation0-id\": \"<username>\",\"organisation0-tokens\": \"<password>\"}}"
fi
  1. Find the image tag of api-access in the cluster and set it as the image_tag variable.
k get deploy api-access  -o json | jq -r '.spec.template.spec.containers[0].image' | cut -d":" -f2
  1. Deploy api-access with Basic authentication.
image_tag=""
enable_tls="true|false"
api_domain="" # ignore if enable_tls is false
helm upgrade --install cdrplatform-api-access cdrplatform-api-access \
  --set image.tag="${image_tag:?}" \
  --set image.pullPolicy=IfNotPresent \
  --set image.repository="glasswallacr.azurecr.io/cdrplatform-api-access" \
  --set ingress.tls.enabled="${enable_tls:?}" \
  --set ingress.tls.domain="${api_domain}" \
  --set configuration.CLIENTS__Policy__BaseAddress="http://policy-api:8080" \
  --set configuration.CLIENTS__License__BaseAddress="http://license-management.license-management.svc.cluster.local:8080" \
  --set configuration.CLIENTS__AsyncApi__BaseAddress="http://async-api:8080" \
  --set configuration.AuthenticationScheme="Basic" \
  --set cloud_provider=local \
  --set resources.requests.cpu=1 \
  --set resources.requests.memory=3Gi \
  --set resources.limits.cpu=1 \
  --set resources.limits.memory=3Gi \
  --set securityContext.seccompProfile.type=RuntimeDefault \
  --atomic

Bearer Authentication installation

  1. Identify the tenant_id for the desired Azure tenant.

  2. SSH to the VM to run the commands below.

Note: the cdrplatform-api-access helm chart should be present in the /home/glasswall directory.

  1. Get the api-access image tag from the cluster and set it as the image_tag variable.
k get deploy api-access  -o json | jq -r '.spec.template.spec.containers[0].image' | cut -d":" -f2
  1. Deploy api-access with Azure AD configuration.
tenant_id=""
api_valid_audience="api://cdrplatform-api-access"
image_tag=""
enable_tls="true|false"
api_domain="" # ignore if enable_tls is false
helm upgrade --install cdrplatform-api-access cdrplatform-api-access \
  --set image.tag="${image_tag}" \
  --set image.pullPolicy=IfNotPresent \
  --set image.repository="glasswallacr.azurecr.io/cdrplatform-api-access" \
  --set ingress.tls.enabled="${enable_tls}" \
  --set ingress.tls.domain="${api_domain}" \
  --set configuration.CLIENTS__Policy__BaseAddress="http://policy-api:8080" \
  --set configuration.CLIENTS__License__BaseAddress="http://license-management.license-management.svc.cluster.local:8080" \
  --set configuration.CLIENTS__AsyncApi__BaseAddress="http://async-api:8080" \
  --set configuration.AuthenticationScheme="Bearer" \
  --set configuration.Authentication__Schemes__Bearer__ValidAudiences__0="${api_valid_audience}" \
  --set configuration.Authentication__Schemes__Bearer__ValidIssuer=https://sts.windows.net/${tenant_id}/ \
  --set configuration.Authentication__Schemes__Bearer__Authority=https://login.microsoftonline.com/${tenant_id}/v2.0/ \
  --set cloud_provider=local \
  --set resources.requests.cpu=1 \
  --set resources.requests.memory=3Gi \
  --set resources.limits.cpu=1 \
  --set resources.limits.memory=3Gi \
  --set securityContext.seccompProfile.type=RuntimeDefault \
  --atomic


Congratulations, you have successfully deployed Glasswall Halo! We would love to get your thoughts on the setup process and how we can improve it, using the feedback option below.