Palette SSO with Azure Active Directory

Azure Active Directory and OIDC-Based Setup

After configuration, your organization can integrate Microsoft Azure Active Directory to authenticate access to Spectro Cloud Palette.

Prerequisites

• Microsoft Azure Active Directory with appropriate permissions to create and modify users, groups, Enterprise Applications (SAML) or App Registrations (OIDC).
  
  
• Access to Palette - Request access for a Free Trial.
  
  
• Appropriate rights and enabled token IDs in Azure.
  
  
• kubelogin - This is a kubectl plugin for Kubernetes OpenID Connect (OIDC) authentication, also known as kubectl oidc-login.

Kubelogin Architecture

Steps for OIDC Integration in Microsoft Azure Active Directory

From within Microsoft Azure AD, log in and find the Azure Active Directory service page. The following two libraries contain the necessary parameters to configure Palette.

1. App registrations - You will use Azure AD App registrations to configure OIDC SSO with Spectro Cloud Palette.

   
   

2. Enterprise applications - You will use Azure AD Enterprise registrations to configure SAML SSO with Spectro Cloud Palette.

   
   

Integrating OIDC SSO for authenticating access to Kubernetes clusters using Microsoft Azure Active Directory

This section describes how to enable Azure AD SSO authentication to access a Kubernetes cluster.

1. From the sidebar menu, select Tenant Settings and ensure the Tenant Admin from dropdown is selected.
   
   
2. Go to Profiles from within Tenant Admin or a Project and select an existing Cluster Profile. Alternatively, if a Cluster Profile does not exist, create a new Cluster Profile with a CNCF Kubernetes distribution. Once you select a profile, you will see the Infrastructure layers in the picture.
   
   
3. Choose the Kubernetes layer and select the Pack Values to modify.
   
   
4. The Pack Version Settings are exposed with the appropriate privileges (Tenant Admin). Notate the following Variable within the pack settings.
   
   

Configuring the Application OpenID Configuration in the Cluster

1. Go to the Kubeadminconfig:apiServer:extraArgs section of the pack layer.

   
   

   • oidc-groups-claim - "Groups"

     
     

   • oidc-username-claim - "Email"

     
     

   • oidc-issuer-url - "Issuer's URL"

     
     

   • oidc-client-id - "Client ID"

     
     

     

2. Next, find the clientConfig section and modify the following parameters:

   
   
   • oidc-issuer-url - This is the provider URL which allows the Palette to discover public signing keys.
     
     
   • oid-client-id - The client ID is found under the Application Registration/Enterprise Application.
     
     
   • oidc-client-secret - The secret provided by Azure AD.
     
     
   • oidc-extra-scope - The scope tags.
     
     

Binding the Cluster Admin Role AD to Cluster Admin via RBAC

Configure the Role Based Access Control Pack (RBAC).

Adding an RBAC Pack

1. Under Tenant Admin, create an RBAC Cluster profile.
   
   
2. Go to Cluster Profile > +Add Cluster Profile and complete the Basic Information.
   
   
3. Enter the Name, Version, and Description (Optional) and click Next.
   
   
4. Under Type, select +Add-on New Pack.
   
   
5. Select Authentication as the Pack Type.
   
   
6. From the Registry dropdown, click Public Repo.
   
   
7. Choose Spectro RBAC as the Pack Name.
   
   
8. Select the Pack Version.
   
   
9. Click the spectro-rbac 1.0.0 Pack Values to edit the pack layer settings.
   Note: This is where you will edit the role settings.
   
   
10. Click the Confirm & Create button.
    
    

Editing the RBAC Cluster Profile

1. From Palette, go to Profiles and choose the RBAC cluster profile.
   
   
2. Click the layer image and specify the ClusterRoleBindings.
   
   
3. Go to the clusterRoleBindings:role section and type cluster-admin.
   
   
4. Change the settings to your requirements and specific groups.
   
   

For Azure AD integration with RBAC, edit your RBAC pack value to below. Or, copy and paste the entire block to your RBAC pack and modify you inputs where appropriate:

pack:
  spectrocloud.com/install-priority: "0"
charts:
  spectro-rbac:
    # Specify one or more ClusterRoleBinding
    # Note that the _name_ attribute is optional
    clusterRoleBindings:
      - role: cluster-admin
        name: bind-cluster-admin-role-to-cluster-admin
        subjects:
          #- type: User
            #name: user5
          - type: Group
          # For "name", input the Azure AD Group ID name and add a comment on what the Azure AD displayname is that corresponds to the Azure AD Group Name
          # Example: Azure AD Group Object Id "70d19fd6-####-####-####-##c6c915e301" is tied to the Azure AD Security Group with the display name of "cluster-admin-role".
          # name: "AZURE AD GROUP ID NAME"
            name: "INSERT AZURE AD GROUP ID For Cluster Admins"
      - role: admin
        name: bind-admin-role-to-admin
        subjects:
          #- type: User
            #name: user5
          - type: Group
          # For "name", input the Azure AD Group ID name and add a comment on what the Azure AD displayname is that corresponds to the Azure AD Group Name
          # Example: Azure AD Group Object Id "064f2e40-####-####-####-##b9f7927976" is tied to the Azure AD Security Group with the display name of "admin-role".
          # name: "AZURE AD GROUP ID NAME"
            name: "INSERT AZURE AD GROUP ID For Admins"
      - role: view
        name: bind-view-role-to-view
        subjects:
          #- type: User
            #name: user6
          - type: Group
          # For "name", input the Azure AD Group ID name and add a comment on what the Azure AD displayname is that corresponds to the Azure AD Group Name
          # Example: Azure AD Group Object Id "732edc96--####-####-####-##851dee3380" is tied to the Azure AD Security Group with the display name of "view-role".
          # name: "AZURE AD GROUP ID NAME"
            name: "INSERT AZURE AD GROUP ID For Viewers"
          #- type: ServiceAccount
            #name: group6
            #namespace: foo
      - role: edit
        name: bind-edit-role-to-edit
        subjects:
          #- type: User
            #name: user6
          - type: Group
          # For "name", input the Azure AD Group ID name and add a comment on what the Azure AD displayname is that corresponds to the Azure AD Group Name
          # Example: Azure AD Group Object Id "21b55c08-6-####-####-####-##a3e2245ad7" is tied to the Azure AD Security Group with the display name of "edit-role".
          # name: "AZURE AD GROUP ID NAME"
            name: "INSERT AZURE AD GROUP ID For Edit"
          #- type: ServiceAccount
            #name: group6
            #namespace: foo
    #namespaces:
      # Specify one or more RoleBindings
      #- namespace: team1
        #createNamespace: true
        #roleBindings:
          #- role: admin
            #name: special-override-name-admin-role
            #kind: ClusterRole
            #subjects:
              #- type: User
                #name: user3
              #- type: Group
                #name: team1namespaceadmin
          #- role: view
            #kind: ClusterRole
            #subjects:
              #- type: User
                #name: user4
              #- type: Group
                #name: team1namespaceview
      #- namespace: team2
        #createNamespace: true
        #roleBindings:
          #- role: admin
            #name: special
            #kind: ClusterRole
            #subjects:
              #- type: User
                #name: user1
              #- type: Group
                #name: group1

Example:

Azure AD Group Object ID "70******-355a-453b-aadf-*********301" is linked to the Azure AD Security Group with the display name of cluster-admin-role.

name: "AZURE AD GROUP ID NAME"

Results

You have now established SSO authentication integrating Microsoft Azure AD and Spectro Cloud Palette using OIDC.

References

Microsoft Active Directory
Credential Plugin Diagram
kubelogin