Automated Single Sign-On (SSO)
As a SmoothGlue Enterprise administrator (admin), you can set up authentication and authorization with username and password or configure single sign-on (SSO) for any of the applications (apps). There are several SSO solutions you can choose from, based on your organizational requirements and use case. This document is a quick-reference guide on how to configure SSO using Keycloak as an SSO solution.
SmoothGlue SSO Automation
SmoothGlue can automatically configure the following objects within Keycloak:
- A
smoothgluerealm - An admin group (
_structsureAdmins) with the following roles:realm-admin
- An audit group (
_structsureAudit) with the following roles:view-clientsview-usersview-identity-providersview-eventsview-realmview-authorization
- Clients for the following applications:
- Alertmanager
- Authservice
- Grafana
- Kiali
- NeuVector
- Prometheus
- GitLab
- Mattermost
- Jira
- Confluence
- Console
SmoothGlue will also configure the above set of applications to use their respective SSO client, except for Confluence and Jira, which require configuring SSO through their UI.
Configuring Auto SSO Feature
Configuring the SmoothGlue Auto SSO feature will differ depending on what type of SmoothGlue environment type is being configured.
SmoothGlue Build
Since Keycloak is deployed by default in a SmoothGlue Build environment, a System Integrator simply needs to enable the feature to take advantage of all the automation. In the zarf-config.yaml file, enable the feature by adding the following config:
package:
deploy:
set:
AUTO_SSO_ENABLED: "true"
Deploy the SmoothGlue package with the new configuration above and allow the cluster some time to reconfigure the applications for SSO.
Please see How To Configure SmoothGlue Package for more information on configuring the SmoothGlue Package.
SmoothGlue Run
Since SmoothGlue Run environments typically need to reach out to a Keycloak deployed in a SmoothGlue Build environment, the hostname and CA cert for Keycloak need to be configured as well:
package:
deploy:
set:
AUTO_SSO_ENABLED: "true"
AUTO_SSO_HOSTNAME: "keycloak.example.com"
AUTO_SSO_CA_CERT: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
Keycloak's hostname can be retrieved from the HOSTS field in SmoothGlue Build cluster by running the following command:
kubectl get virtualservice -n keycloak
Please see How To Configure SmoothGlue Package for more information on configuring the SmoothGlue Package.
Additionally, a SmoothGlue Run environment will need credentials to be able to configure new clients in Keycloak. The following copies the credentials from a SmoothGlue Build environment to a SmoothGlue Run environment. Kubeconfigs for both environments will be required:
# Export credentials out of SmoothGlue Build environment
kubectl get secret -n crossplane-system keycloak-provider-master-secret --kubeconfig <build-kubeconfig> -o yaml > secret.yaml
# Put credentials in SmoothGlue Run environment
kubectl apply -f secret.yaml --kubeconfig <run-kubeconfig>
Finally, deploy the SmoothGlue package with the new configuration above and allow the cluster some time to reconfigure the applications for SSO.
Step-by-Step SSO Instructions
The following applications have some additional steps that need to be configured. Please review their respective SSO how-to guide for additional details: