1 / 13

Single Sign On with a Hybrid Cloud

Single Sign On with a Hybrid Cloud. By Miguel Zuniga. Who am i. Name: Miguel Zuniga Occupation: Software and Infrastructure Level: From engineer to director (hands on) More Info at: https://www.linkedin.com/in/miguelzuniga. Why use Single Sign On? IDP and SP SAML, OAuth2 and OIDC

merrillh
Download Presentation

Single Sign On with a Hybrid Cloud

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Single Sign On with a Hybrid Cloud By Miguel Zuniga

  2. Who am i Name: Miguel Zuniga Occupation: Software and Infrastructure Level: From engineer to director (hands on) More Info at: https://www.linkedin.com/in/miguelzuniga

  3. Why use Single Sign On? IDP and SP SAML, OAuth2 and OIDC SSO Architectures SSO and Openstack SSO and AWS Extra Bonus - SSO for Applications Extra Bonus - SSO and k8s Demo 1. Agenda

  4. Why use Single Sign On? • Simplify user management. • Single point for authentication and authorization for all systems. • Single framework for authentication. • Supports multiple protocols. • Users and Operations will thank you • Security compliance and audits become more easy.

  5. IDP and SP SSO Components Identity Provider • Does the user management • Takes care of authentication Service Provider • Provides a service/resource to users • Verifies that the user has a valid token/authn/authz

  6. SAML, OAuth2 and OIDC

  7. SSO Arch

  8. SSO and Openstack Quick how to do it: • Setup apache mellon • Configure keystone.conf • Configure horizon local_settings • Run keycloak-httpd-client-install • Create the federated domain • Create the federated project • Create a federated group • Add role member/users to the group • Create the identity provider • Create a set of mapping rules • Create protocol that links the idp with the mapping rules

  9. SSO and AWS Quick how to do it: • Create saml client with aws saml-metadata • Configure the saml keycloak client with: • Client ID • Valid base url • Valid redirect url • Turn off the full scope of client • Add aws saml attributes • Create a group and role in keycloak for AWS access • Configure an AWS IAM saml provider • Create a role with perms that users will take

  10. Bonus SSO for Applications Quick how to do it: • Create an oidc client • Configure client with • Base url • Redirect urls • Web origins • Remove the full scope • Create the roles and groups which will define the access to the application • Create the gatekeeper config with: • Client id • Client secret • Discover URL (keycloak) • Target URL (application) • Map Rules to protect URL’s

  11. Bonus SSO and k8s Quick how to do it: • Create an OIDC client • Create a group for cluster admin • Create a group for cluster users • Create the cluster role in k8s for admins • Create the cluster role in k8s for users • Pass the oidc-* config flags to kube-apiserver • Oidc-issuer • Oidc-clientid • Oidc-username-claim • oidc-groups-claim

  12. By the end of this section, your audience should be able to visualize: WhatSingle Sign On WhereOn Openstack Lab running PikeOn Aws using IAM as clientOn the app without authn Demo config files at: https://github.com/conference-demo/sso-hybrid-cloud Demo

  13. Special Thanks the Sponsors And Thank you! For more information about how to get this thing right… feel free to contact me directly.!

More Related