Setting Up OpenID authentication
According to the OpenID Foundation, "OpenID Connect 1.0 is a simple identity layer on the OAuth 2.0 protocol". OpenID Connect enables clients to verify user identity via a given authentication server. Turbonomic supports OpenID authentication through the following providers:
Google
IBM-MCM
Okta
Logging in to Turbonomic with OpenID
When you configure OpenID in Turbonomic, the platform registers the OpenID clients that you specify. To log in through of these OpenID clients, you manually navigate to a URL that tells Turbonomic which client to use. It then redirects to the OpenID login screen for that given client.
The URL that you provide is in the form:
https://<hostname>/vmturbo/oauth2/login/code/<openIdClients>
Where:
<hostname>
is the host address for your installation of Turbonomic<openIdClients>
is the is the client name of the OpenID provider you want to useYou specify this as the
openIdClients
property when you configure OpenID in Turbonomic.
This URL must also be set in the Authorized direct URIs section of your provider's OpenID configuration.
https://10.10.12.34/vmturbo/oauth2/login/code/okta
After you navigate to that URL, the browser redirects to the OpenID login screen, where you can enter credentials for a single user or a user group.
To authenticate a user group, the group must be configured on the OpenID provider, and also on Turbonomic. The group name must be identical in both configurations.
On the OpenID provider, the client that you are using should include groups scope values that give specific names for user groups. Contact your OpenID administrator to get the group names. Then, on Turbonomic you should create user groups that use the same names.
For example, assume the OpenID ID token includes the following groups claim:
{
"sub": "1234567890",
"name": "My_User_Name",
"iat": "12121212",
"groups": "My_Special_User_Group"
}
To use the group My_Special_User_Group
for authentication, you must create a
user group in Turbonomic with the name My_Special_User_Group
. Any
members of that group will then get the role you have assigned to that user group.
Configuring OpenID on Turbonomic
To configure Turbonomic to authenticate via OpenID:
(Required) Ensure that chrony is configured and the system time on your Turbonomic instance is correct.
For instructions, see Synchronizing Time.
Obtain the necessary data from your OpenID provider.
Contact your security administrator to obtain the data from the provider. You will use this data to configure SSO in the Turbonomic CR file located at:
/opt/turbonomic/kubernetes/operator/deploy/crds/charts_v1alpha1_xl_cr.yaml
The data you need and the properties you declare in the CR file will differ depending on the OpenID provider you want to use:
Google:
CR fields Description openIdClients
google
The name of the OpenID client you are using to perform authentication.
openIdClientId
The OAuth2 Client Identifier for the OpenID client that you are using. openIdClientSecret
The OAuth2 Client Secret for the OpenID client that you are using. IBM-MCM:
CR fields Description openIdClients
ibm
The name of the OpenID client you are using to perform authentication.
openIdClientAuthentication
post
The client authentication method.
openIdUserAuthentication
form
The user authentication method.
openIdClientId
The OAuth2 Client Identifier for the OpenID client that you are using. openIdClientSecret
The OAuth2 Client Secret for the OpenID client that you are using. openIdAccessTokenUri
The URI the login process will use to get an Access Token. openIdUserAuthorizationUri
The URI to the Authorization Endpoint for OpenID Connect. openIdUserInfoUri
The URI to the OpenID Connect UserInfo endpoint. openIdJwkSetUri
The URI to get the JSON Web Key set that can verify the Access Token. openIdExternalGroupTag
The name of a custom group to use for authentication. Okta:
CR fields Description openIdClients
okta
The name of the OpenID client you are using to perform authentication.
openIdClientId
The OAuth2 Client Identifier for the OpenID client that you are using. openIdClientSecret
The OAuth2 Client Secret for the OpenID client that you are using. openIdAccessTokenUri
The URI the login process will use to get an Access Token. openIdUserAuthorizationUri
The URI to the Authorization Endpoint for OpenID Connect. openIdUserInfoUri
The URI to the OpenID Connect UserInfo endpoint. openIdJwkSetUri
The URI to get the JSON Web Key set that can verify the Access Token.
Update the Turbonomic CR file with your configuration data.
You now have the data that you need to configure SSO via OpenID. You will edit the
cr.yaml
file that configures your Turbonomic node, and then deploy or restart the node.Open the CR file for editing.
cd /opt/turbonomic/kubernetes/operator/deploy/crds
Then open the CR file for editing. For example, to open the file in VI:
vi charts_v1alpha1_xl_cr.yaml
As you edit this file, you will refer to the data that you obtained from your authentication provider.
In the CR file, navigate to the entry for the API component.
In the CR file search for or scroll to the entry:
apiVersion: charts.helm.k8s.io/v1alpha1
You will make changes to this component spec, under
spec:properties:api:
Turn on the OpenID feature.
For the first API property, set the following:
openIdEnabled: true
The output is similar to the following example:
apiVersion: charts.helm.k8s.io/v1alpha1 kind: Xl metadata: name: xl-release spec: properties: api: openIdEnabled: true
-
Enter the relevant OpenId data for your authentication provider. The CR file should be similar to these examples, depending on which provider you use.
Google:
apiVersion: charts.helm.k8s.io/v1alpha1 kind: Xl metadata: name: xl-release spec: properties: api: openIdEnabled: true openIdClients: google openIdClientId: xxxx-4vinrdgllag5p84jjebc6xxxxxx5u.apps.googleusercontent.com openIdClientSecret: xxxxxhGcdFEjQa-xxxxxxxx
IBM-MCM:
apiVersion: charts.helm.k8s.io/v1alpha1 kind: Xl metadata: name: xl-release spec: properties: api: openIdEnabled: true openIdClients: ibm openIdClientAuthentication: post openIdUserAuthentication: form openIdClientId: turbonomic-mcm-demo openIdClientSecret: "xxxxxxvZ2ZscDhtOFVxxxxxxU3d6cXR4cTZhb2xxxxxxRT0K" openIdAccessTokenUri: https://icp-console.apps.blue-13.dev.multicloudops.io/idprovider/v1/auth/token openIdUserAuthorizationUri: https://icp-console.apps.blue-13.dev.multicloudops.io/idprovider/v1/auth/authorize openIdUserInfoUri: https://icp-console.apps.blue-13.dev.multicloudops.io/v1/auth/userInfo openIdJwkSetUri: https://icp-console.apps.blue-13.dev.multicloudops.io/oidc/endpoint/OP/jwk
Okta
apiVersion: charts.helm.k8s.io/v1alpha1 kind: Xl metadata: name: xl-release spec: properties: api: openIdEnabled: true openIdClients: okta openIdClientId: xxxxxxxxxh1xhQnSKxxxx openIdClientSecret: xxxxxxxxxxtIhVCIRUnhq4xxxxxxxDdhLdqx0 openIdAccessTokenUri: https://vmturbo.okta.com/oauth2/v1/token openIdUserAuthorizationUri: https://vmturbo.okta.com/oauth2/v1/authorize openIdUserInfoUri: https://vmturbo.okta.com/oauth2/v1/userinfo openIdJwkSetUri: https://vmturbo.okta.com/oauth2/v1/keys
Save your changes to the CR file.
-
Apply the modified cr.yaml file.
kubectl apply -f /opt/turbonomic/kubernetes/operator/deploy/crds/charts_v1alpha1_xl_cr.yaml
Restart the API component to load the new spec.
Open an SSH terminal session to your Turbonomic instance.
Restart the API component.
kubectl delete pod api-<API_POD_ID>
To auto-fill the pod ID, type
api-
and then press TAB.
Verify that the configuration is successful.
Navigate to the Turbonomic User Interface.
You will be automatically redirected to your authentication provider for authentication.
-
Log in with the username that is a member of the external group or external user that you previously configured.
Verify that the system time on your Turbonomic instance is correct.
If the time is not synchronized, this might cause an
HTTP Status 401 -authentication failed
exception in the browser.If the configuration is not successful, look for an
HTTP Status 500
exception in the product log. If this exception exists, review your CR file for invalid entries.