130 likes | 134 Views
Single Sign On with a Hybrid Cloud. By Miguel Zuniga. Who am i. Name: Miguel Zuniga Occupation: Software and Infrastructure Level: From engineer to director (hands on) More Info at: https://www.linkedin.com/in/miguelzuniga. Why use Single Sign On? IDP and SP SAML, OAuth2 and OIDC
E N D
Single Sign On with a Hybrid Cloud By Miguel Zuniga
Who am i Name: Miguel Zuniga Occupation: Software and Infrastructure Level: From engineer to director (hands on) More Info at: https://www.linkedin.com/in/miguelzuniga
Why use Single Sign On? IDP and SP SAML, OAuth2 and OIDC SSO Architectures SSO and Openstack SSO and AWS Extra Bonus - SSO for Applications Extra Bonus - SSO and k8s Demo 1. Agenda
Why use Single Sign On? • Simplify user management. • Single point for authentication and authorization for all systems. • Single framework for authentication. • Supports multiple protocols. • Users and Operations will thank you • Security compliance and audits become more easy.
IDP and SP SSO Components Identity Provider • Does the user management • Takes care of authentication Service Provider • Provides a service/resource to users • Verifies that the user has a valid token/authn/authz
SSO and Openstack Quick how to do it: • Setup apache mellon • Configure keystone.conf • Configure horizon local_settings • Run keycloak-httpd-client-install • Create the federated domain • Create the federated project • Create a federated group • Add role member/users to the group • Create the identity provider • Create a set of mapping rules • Create protocol that links the idp with the mapping rules
SSO and AWS Quick how to do it: • Create saml client with aws saml-metadata • Configure the saml keycloak client with: • Client ID • Valid base url • Valid redirect url • Turn off the full scope of client • Add aws saml attributes • Create a group and role in keycloak for AWS access • Configure an AWS IAM saml provider • Create a role with perms that users will take
Bonus SSO for Applications Quick how to do it: • Create an oidc client • Configure client with • Base url • Redirect urls • Web origins • Remove the full scope • Create the roles and groups which will define the access to the application • Create the gatekeeper config with: • Client id • Client secret • Discover URL (keycloak) • Target URL (application) • Map Rules to protect URL’s
Bonus SSO and k8s Quick how to do it: • Create an OIDC client • Create a group for cluster admin • Create a group for cluster users • Create the cluster role in k8s for admins • Create the cluster role in k8s for users • Pass the oidc-* config flags to kube-apiserver • Oidc-issuer • Oidc-clientid • Oidc-username-claim • oidc-groups-claim
By the end of this section, your audience should be able to visualize: WhatSingle Sign On WhereOn Openstack Lab running PikeOn Aws using IAM as clientOn the app without authn Demo config files at: https://github.com/conference-demo/sso-hybrid-cloud Demo
Special Thanks the Sponsors And Thank you! For more information about how to get this thing right… feel free to contact me directly.!