Authentication
Mga Kinakailangan
- Dapat i-configure ang isang domain name para magamit ng serbisyo ng Portal ang SSO authentication. Tukuyin ang domain na gagamitin para sa Portal.
- Tukuyin ang
tenant_idpara sa Azure tenant. - Tiyaking naka-install ang Azure CLI sa isang lokal na makina at mag-sign in gamit ang
az login. - Run the provided shell script to create three app registrations and corresponding enterprise applications. Record the script output, as it is required for subsequent steps.
cdrplatform-api-accesscdrplatform-portal-accesscdrplatform-portal-client
bash create-azure-app-registrations.sh cleanroom.glasswall.com
- Ang enterprise application na
ar-Halo-portal-clientay kailangang mabigyan ng admin consent.
Pag-install ng authentication ng Portal
Sinusuportahan ng Glasswall Halo Portal ang SSO authentication gamit ang Azure Entra ID. Sundin ang mga hakbang sa ibaba upang i-configure ang integration.
-
Mag-SSH sa virtual machine upang patakbuhin ang mga command sa ibaba.
-
Ang mga Helm chart na
cdrplatform-portalatcdrplatform-portal-accessay matatagpuan sa direktoryong/home/glasswall.
k get deploy portal -o json | jq -r '.spec.template.spec.containers[0].image' | cut -d":" -f2
- I-deploy ang portal gamit ang Azure AD configuration:
tenant_id=""
portal_domain=""
portal_client_id=""
portal_access_uri=""
image_tag=$(kubectl get deploy portal -o json | jq -r '.spec.template.spec.containers[0].image' | cut -d":" -f2)
enabled_pages="SystemSettings,PolicySettings"
# if XML validation entitlement is enabled
enabled_pages="SystemSettings,PolicySettings,ValidationSettings"
# if ICAP server is enabled
enabled_pages="SystemSettings,PolicySettings,IcapSettings,IcapRequests,IcapReporting"
# if Storage monitoring is enabled
enabled_pages="SystemSettings,PolicySettings,IcapSettings,IcapRequests,IcapReporting,SharePointMonitoring,OneDriveMonitoring"
helm upgrade --install cdrplatform-portal cdrplatform-portal \
--set image.tag="${image_tag:?}" \
--set image.pullPolicy=IfNotPresent \
--set ingress.tls.enabled=true \
--set ingress.tls.domain=${portal_domain:?} \
--set ingress.tls.secretName=tls-secret \
--set cloud_provider=local \
--set resources.requests.cpu=500m \
--set resources.requests.memory=500Mi \
--set resources.limits.cpu=500m \
--set resources.limits.memory=500Mi \
--set securityContext.seccompProfile.type=RuntimeDefault \
--set configuration.BackendScope="${portal_access_uri}/PortalUserScope" \
--set configuration.BackendUrl="https://${portal_domain}" \
--set configuration.EnabledPages="${enabled_pages}" \
--set configuration.OIDC.ProviderOptions.Authority="https://login.microsoftonline.com/${tenant_id:?}/v2.0" \
--set configuration.OIDC.ProviderOptions.RedirectUri="https://${portal_domain}/authentication/login-callback" \
--set configuration.OIDC.ProviderOptions.ClientId="${portal_client_id}" \
--set configuration.OIDC.ProviderOptions.PostLogoutRedirectUri="https://${portal_domain}/authentication/logout-callback" \
--atomic
- I-deploy ang portal access gamit ang Azure Entra ID configuration:
tenant_id=""
portal_domain=""
portal_access_uri=""
image_tag=$(kubectl get deploy portal-access -o json | jq -r '.spec.template.spec.containers[0].image' | cut -d":" -f2)
helm upgrade --install cdrplatform-portal-access cdrplatform-portal-access \
--set image.tag="${image_tag:?}" \
--set image.pullPolicy=IfNotPresent \
--set ingress.tls.enabled=true \
--set ingress.tls.domain=${portal_domain:?} \
--set ingress.tls.secretName=tls-secret \
--set cloud_provider=local \
--set resources.requests.cpu=1 \
--set resources.requests.memory=2Gi \
--set resources.limits.cpu=1 \
--set resources.limits.memory=2Gi \
--set securityContext.seccompProfile.type=RuntimeDefault \
--set configuration.AuthenticationScheme=Bearer \
--set configuration.Authentication__Schemes__Bearer__ValidAudiences__0="${portal_access_uri}" \
--set configuration.Authentication__Schemes__Bearer__ValidIssuer=https://sts.windows.net/${tenant_id:?}/ \
--set configuration.Authentication__Schemes__Bearer__Authority=https://login.microsoftonline.com/${tenant_id:?}/v2.0/ \
--atomic
-
Buksan ang Portal domain sa isang browser at piliin ang Login with SSO sa ibabang kaliwang sulok.
-
Sundin ang proseso ng pag-login sa pamamagitan ng Azure Entra ID at ibigay ang mga kinakailangang pahintulot sa app sa ngalan ng organisasyon sa unang pagkakataon.
Pagpapatotoo ng API
Maaaring i-configure ang pagpapatotoo ng API sa 2 paraan -
- Basic authentication
- Bearer authentication
Pag-install ng Basic authentication
- Mag-SSH sa virtual machine upang patakbuhin ang mga command sa ibaba.
- Ang
cdrplatform-api-accessHelm chart ay matatagpuan sa direktoryong/home/glasswall. - I-configure ang mga kredensyal sa cluster sa pamamagitan ng pagtatakda ng
usernameatpasswordgamit ang mga utos sa ibaba. Maaaring tumukoy ng maraming password sa pamamagitan ng paghihiwalay ng mga ito gamit ang mga kuwit.
bash add_secrets.sh organisation0-id <username>
bash add_secrets.sh organisation0-tokens <password>
- I-deploy ang api-access gamit ang Basic authentication:
image_tag="$(k get deploy api-access -o json | jq -r '.spec.template.spec.containers[0].image' | cut -d":" -f2)"
enable_tls="true" or "false"
api_domain="" # ignore if enable_tls is false
helm upgrade --install cdrplatform-api-access cdrplatform-api-access \
--set image.tag="${image_tag:?}" \
--set image.pullPolicy=IfNotPresent \
--set ingress.tls.enabled="${enable_tls:?}" \
--set ingress.tls.domain="${api_domain}" \
--set configuration.CLIENTS__Policy__BaseAddress="http://policy-api:8080" \
--set configuration.CLIENTS__License__BaseAddress="http://license-management.license-management.svc.cluster.local:8080" \
--set configuration.CLIENTS__AsyncApi__BaseAddress="http://async-api:8080" \
--set configuration.AuthenticationScheme="Basic" \
--set cloud_provider=local \
--set resources.requests.cpu=1 \
--set resources.requests.memory=3Gi \
--set resources.limits.cpu=1 \
--set resources.limits.memory=3Gi \
--set securityContext.seccompProfile.type=RuntimeDefault \
--atomic
Pag-install ng Bearer authentication
- Tukuyin ang
tenant_idpara sa Azure tenant. - Mag-SSH sa virtual machine upang patakbuhin ang mga command sa ibaba.
- Tiyaking available ang
cdrplatform-api-accessHelm chart sa direktoryong/home/glasswall. - I-deploy ang serbisyo ng API Access gamit ang configuration ng Azure Entra ID:
tenant_id=""
api_valid_audience="api://cdrplatform-api-access"
image_tag=$(kubectl get deploy api-access -o json | jq -r '.spec.template.spec.containers[0].image' | cut -d":" -f2)
enable_tls="true" or "false"
api_domain="" # ignore if enable_tls is false
helm upgrade --install cdrplatform-api-access cdrplatform-api-access \
--set image.tag="${image_tag}" \
--set image.pullPolicy=IfNotPresent \
--set ingress.tls.enabled="${enable_tls}" \
--set ingress.tls.domain="${api_domain}" \
--set configuration.CLIENTS__Policy__BaseAddress="http://policy-api:8080" \
--set configuration.CLIENTS__License__BaseAddress="http://license-management.license-management.svc.cluster.local:8080" \
--set configuration.CLIENTS__AsyncApi__BaseAddress="http://async-api:8080" \
--set configuration.AuthenticationScheme="Bearer" \
--set configuration.Authentication__Schemes__Bearer__ValidAudiences__0="${api_valid_audience}" \
--set configuration.Authentication__Schemes__Bearer__ValidIssuer=https://sts.windows.net/${tenant_id:?}/ \
--set configuration.Authentication__Schemes__Bearer__Authority=https://login.microsoftonline.com/${tenant_id:?}/v2.0/ \
--set cloud_provider=local \
--set resources.requests.cpu=1 \
--set resources.requests.memory=3Gi \
--set resources.limits.cpu=1 \
--set resources.limits.memory=3Gi \
--set securityContext.seccompProfile.type=RuntimeDefault \
--atomic