Setting Up OpenID authentication

According to the OpenID Foundation, "OpenID Connect 1.0 is a simple identity layer on the OAuth 2.0 protocol". OpenID Connect enables clients to verify user identity via a given authentication server. Turbonomic supports OpenID authentication through the following providers:

  • Google

  • IBM-MCM

  • Okta

Logging in to Turbonomic with OpenID

When you configure OpenID in Turbonomic, the platform registers the OpenID clients that you specify. To log in through of these OpenID clients, you manually navigate to a URL that tells Turbonomic which client to use. It then redirects to the OpenID login screen for that given client.

The URL that you provide is in the form:

https://<hostname>/vmturbo/oauth2/login/code/<openIdClients>

Where:

  • <hostname> is the host address for your installation of Turbonomic

  • <openIdClients> is the is the client name of the OpenID provider you want to use

    You specify this as the openIdClients property when you configure OpenID in Turbonomic.

Note:

This URL must also be set in the Authorized direct URIs section of your provider's OpenID configuration.

For example, assume your Turbonomic host address is 10.10.12.34, and you configured an Okta OpenID client. In that case, when the Turbonomic login screen appears, you would navigate to:
https://10.10.12.34/vmturbo/oauth2/login/code/okta

After you navigate to that URL, the browser redirects to the OpenID login screen, where you can enter credentials for a single user or a user group.

Note:

To authenticate a user group, the group must be configured on the OpenID provider, and also on Turbonomic. The group name must be identical in both configurations.

On the OpenID provider, the client that you are using should include groups scope values that give specific names for user groups. Contact your OpenID administrator to get the group names. Then, on Turbonomic you should create user groups that use the same names.

For example, assume the OpenID ID token includes the following groups claim:

{
  "sub": "1234567890",
  "name": "My_User_Name",
  "iat": "12121212",
  "groups": "My_Special_User_Group"
}

To use the group My_Special_User_Group for authentication, you must create a user group in Turbonomic with the name My_Special_User_Group. Any members of that group will then get the role you have assigned to that user group.

Configuring OpenID on Turbonomic

To configure Turbonomic to authenticate via OpenID:

  1. (Required) Ensure that chrony is configured and the system time on your Turbonomic instance is correct.

    For instructions, see Synchronizing Time.

  2. Obtain the necessary data from your OpenID provider.

    Contact your security administrator to obtain the data from the provider. You will use this data to configure SSO in the Turbonomic CR file located at:

    /opt/turbonomic/kubernetes/operator/deploy/crds/charts_v1alpha1_xl_cr.yaml

    The data you need and the properties you declare in the CR file will differ depending on the OpenID provider you want to use:

    • Google:

      CR fields Description
      openIdClients google

      The name of the OpenID client you are using to perform authentication.

      openIdClientId The OAuth2 Client Identifier for the OpenID client that you are using.
      openIdClientSecret The OAuth2 Client Secret for the OpenID client that you are using.
    • IBM-MCM:

      CR fields Description
      openIdClients ibm

      The name of the OpenID client you are using to perform authentication.

      openIdClientAuthentication post

      The client authentication method.

      openIdUserAuthentication form

      The user authentication method.

      openIdClientId The OAuth2 Client Identifier for the OpenID client that you are using.
      openIdClientSecret The OAuth2 Client Secret for the OpenID client that you are using.
      openIdAccessTokenUri The URI the login process will use to get an Access Token.
      openIdUserAuthorizationUri The URI to the Authorization Endpoint for OpenID Connect.
      openIdUserInfoUri The URI to the OpenID Connect UserInfo endpoint.
      openIdJwkSetUri The URI to get the JSON Web Key set that can verify the Access Token.
      openIdExternalGroupTag The name of a custom group to use for authentication.
    • Okta:

      CR fields Description
      openIdClients okta

      The name of the OpenID client you are using to perform authentication.

      openIdClientId The OAuth2 Client Identifier for the OpenID client that you are using.
      openIdClientSecret The OAuth2 Client Secret for the OpenID client that you are using.
      openIdAccessTokenUri The URI the login process will use to get an Access Token.
      openIdUserAuthorizationUri The URI to the Authorization Endpoint for OpenID Connect.
      openIdUserInfoUri The URI to the OpenID Connect UserInfo endpoint.
      openIdJwkSetUri The URI to get the JSON Web Key set that can verify the Access Token.
  3. Update the Turbonomic CR file with your configuration data.

    You now have the data that you need to configure SSO via OpenID. You will edit the cr.yaml file that configures your Turbonomic node, and then deploy or restart the node.

    • Open the CR file for editing.

      cd /opt/turbonomic/kubernetes/operator/deploy/crds

      Then open the CR file for editing. For example, to open the file in VI:

      vi charts_v1alpha1_xl_cr.yaml

      As you edit this file, you will refer to the data that you obtained from your authentication provider.

    • In the CR file, navigate to the entry for the API component.

      In the CR file search for or scroll to the entry:

      apiVersion: charts.helm.k8s.io/v1alpha1

      You will make changes to this component spec, under spec:properties:api:

    • Turn on the OpenID feature.

      For the first API property, set the following:

      openIdEnabled: true

      The output is similar to the following example:

      apiVersion: charts.helm.k8s.io/v1alpha1
      kind: Xl
      metadata:
        name: xl-release
      spec:
        properties:
          api:
            openIdEnabled: true
    • Enter the relevant OpenId data for your authentication provider. The CR file should be similar to these examples, depending on which provider you use.

      • Google:

        apiVersion: charts.helm.k8s.io/v1alpha1
        kind: Xl
        metadata:
          name: xl-release
        spec:
          properties:
            api:
              openIdEnabled: true
              openIdClients: google
              openIdClientId: xxxx-4vinrdgllag5p84jjebc6xxxxxx5u.apps.googleusercontent.com
              openIdClientSecret: xxxxxhGcdFEjQa-xxxxxxxx
                          
      • IBM-MCM:

        apiVersion: charts.helm.k8s.io/v1alpha1
        kind: Xl
        metadata:
          name: xl-release
        spec:
          properties:
            api:
              openIdEnabled: true
              openIdClients: ibm
              openIdClientAuthentication: post
              openIdUserAuthentication: form
              openIdClientId: turbonomic-mcm-demo
              openIdClientSecret: "xxxxxxvZ2ZscDhtOFVxxxxxxU3d6cXR4cTZhb2xxxxxxRT0K"
              openIdAccessTokenUri: https://icp-console.apps.blue-13.dev.multicloudops.io/idprovider/v1/auth/token
              openIdUserAuthorizationUri: https://icp-console.apps.blue-13.dev.multicloudops.io/idprovider/v1/auth/authorize
              openIdUserInfoUri: https://icp-console.apps.blue-13.dev.multicloudops.io/v1/auth/userInfo
              openIdJwkSetUri: https://icp-console.apps.blue-13.dev.multicloudops.io/oidc/endpoint/OP/jwk
                          
      • Okta

        apiVersion: charts.helm.k8s.io/v1alpha1
        kind: Xl
        metadata:
          name: xl-release
        spec:
          properties:
            api:
              openIdEnabled: true
              openIdClients: okta
              openIdClientId: xxxxxxxxxh1xhQnSKxxxx
              openIdClientSecret: xxxxxxxxxxtIhVCIRUnhq4xxxxxxxDdhLdqx0
              openIdAccessTokenUri: https://vmturbo.okta.com/oauth2/v1/token
              openIdUserAuthorizationUri: https://vmturbo.okta.com/oauth2/v1/authorize
              openIdUserInfoUri: https://vmturbo.okta.com/oauth2/v1/userinfo
              openIdJwkSetUri: https://vmturbo.okta.com/oauth2/v1/keys
                          
  4. Save your changes to the CR file.

  5. Apply the modified cr.yaml file.

    kubectl apply -f /opt/turbonomic/kubernetes/operator/deploy/crds/charts_v1alpha1_xl_cr.yaml
  6. Restart the API component to load the new spec.

    1. Open an SSH terminal session to your Turbonomic instance.

    2. Restart the API component.

      kubectl delete pod api-<API_POD_ID>

      To auto-fill the pod ID, type api- and then press TAB.

  7. Verify that the configuration is successful.

    1. Navigate to the Turbonomic User Interface.

      You will be automatically redirected to your authentication provider for authentication.

    2. Log in with the username that is a member of the external group or external user that you previously configured.

    3. Verify that the system time on your Turbonomic instance is correct.

      If the time is not synchronized, this might cause an HTTP Status 401 -authentication failed exception in the browser.

    4. If the configuration is not successful, look for an HTTP Status 500 exception in the product log. If this exception exists, review your CR file for invalid entries.