SSO for OpenshiftSept 19, 2017

Glenn West

Overview

SSO Integration

Generate all keys/certs needed

Setup Openshift Client in Keycloak

Modify ocp config scripts

Integrate into single vm and ha ref arch

Why SSO

While ocp support integration of a variety of providers

for single sign-on, all require modifications of config

files

A Federated solution that can be used for both OCP

and OCP Applications is prefered

Keycloak gives a complete single-sign on solution

across mulitiple providers with a easy to user user-

interface

Automation

While a existing ref-arch does exist, on the manual

setup, it requires significant keys, and muliple manual

steps

Using a ansible script, keycloak can be auto

deployed, and integrated with existing reference

architecture(s)

Spin Up Single VM Ref Arch

During the install

During the install

During the install

During the install

During the install

During the install

OCP Console

SSO Login

Cluster Admin Login w/SSO

SSO Running in OCP

SSO/Keycloak App

Logged in to SSO

SSO Clients – Auto Added

SSO Client for OCP

Client Details

User created for OCP

User Details

Ocp user

Leasons Learned

Three distinct phases of install all in one ansible script

Ansible Does REST

Ansible Variables can be saved across playbooks

Articles Published

Code

https://github.com/glennswest/sso4ocp

PR Pending:

https://github.com/openshift/openshift-ansible-

contrib/tree/master/reference-architecture/azure-ansible