This topic tells you about concepts important to getting started with Application Single Sign-On (commonly called AppSSO).
Use this topic to learn how to:
After completing these steps, you can proceed with securing a workload. For more information, see Secure a workload with Application Single Sign-On.
To get start with Application Single Sign-On, you must:
At the core of Application Single Sign-On is the concept of the Authorization Server, outlined by the AuthServer custom resource. Service Operators create those resources to provision running Authorization Servers, which are OpenID Connect Providers. They issue ID Tokens to the client applications, which contain identity information about the end user, such as email, first name, last name and so on.
The following steps outline how a client application uses an AuthServer
to authenticate an end-user:
AuthServer
, with an OAuth2 request.AuthServer
by using an external identity provider, for example, Google or Azure AD.
AuthServer
s use various protocols to obtain identity information about the user, such as OpenID Connect, SAML, or LDAP, which might require additional redirects.AuthServer
redirects the end-user to the client application with an authorization code.AuthServer
to receive an id_token
.
AuthServer
collected identity information. It only receives the identity information as an id_token
.ID Tokens are JSON Web Tokens containing standard claims about the identity of the user, for example, name or email, and standard claims about the token itself, for example, “expires at” or “audience”. Here is an example of an id_token
issued by an Authorization Server:
{
"iss": "https://appsso.example.com",
"sub": "213435498y",
"aud": "my-client",
"nonce": "fkg0-90_mg",
"exp": 1656929172,
"iat": 1656928872,
"name": "Jane Doe",
"given_name": "Jane",
"family_name": "Doe",
"email": "jane.doe@example.com",
"roles": [
"developer",
"org-user"
]
}
roles
claim is included in an id_token
only if user roles are mapped and the roles
scope is requested. For more information about mapping for OpenID Connect, LDAP and SAML, see:
ID Tokens are signed by the AuthServer
by using Token signature keys. Client applications can verify their validity by using the AuthServer
’s public keys.
This section tells you how to provision an AuthServer
for Application Single Sign-On. Use this topic to learn how to:
ClusterUnsafeTestLogin
.AuthServer
is running and users can log in.You must install and correctly configure Application Single Sign-On on your Tanzu Application Platform cluster.
Application Single Sign-On is installed with the run
, iterate
, and full
profiles. No extra steps are required.
To verify Application Single Sign-On is installed on your cluster, run:
tanzu package installed list -A | grep "sso.apps.tanzu.vmware.com"
For more information about the Application Single Sign-On installation, see Install Application Single Sign-On.
The Application Single Sign-On login servers are a consumable service offering in Tanzu Application Platform. The ClusterWorkloadRegistrationClass
represents these service offerings.
In your Kubernetes cluster, run the following command:
tanzu service class list
If there is not a login offering you want to connect to, you must create your own.
CautionThe
AuthServer
example uses an unsafe testing-only identity provider. Never use it in production environments. For more information about the identity providers, see Identity providers.
In a non-poduction environment, ClusterUnsafeTestLogin
is the recommended way to get started with Application Single Sign-On.
cat <<EOF | kubectl apply -f -
apiVersion: sso.apps.tanzu.vmware.com/v1alpha1
kind: ClusterUnsafeTestLogin
metadata:
name: my-login
EOF
To see the service offering, run:
tanzu service class list
Expect to see the following output:
NAME DESCRIPTION
my-login Login by AppSSO - user:password - UNSAFE FOR PRODUCTION!
CautionThis login offering is not safe for production because it hard codes the user and password.
You can wait for the ClusterUnsafeTestLogin
to be ready by running:
kubectl wait --for=condition=Ready clusterUnsafeTestLogin my-login
Alternatively, you can inspect your ClusterUnsafeTestLogin
like any other resource:
kubectl get clusterunsafetestlogin.sso.apps.tanzu.vmware.com --all-namespaces
Expect to see the following output:
NAME ISSUER URI STATUS
my-login http://unsafe-my-login.appsso.<...> Ready
You can visit the login page by using the ISSUER URI
.
Now that you have an Application Single Sign-On service offering. The next step is to create a ClassClaim
, which creates consumable credentials for your workload, and allows your workload to connect to the login service offering by using the credentials.
Select your preferred login offering from the available options:
tanzu service class list
If there are none available, you can create one yourself:
tanzu service class-claim create my-workload \
--class my-login \
--parameter workloadRef.name=appsso-starter-java \
--parameter redirectPaths='["/login/oauth2/code/appsso-starter-java"]'
The redirectPaths
is the login redirect within your application. This example deploys a minimal Spring application, so you can use the Spring Security path.
Verify the status of your ClassClaim
by running:
tanzu service class-claim list
This section tells you how to deploy a minimal Kubernetes application that is protected by Application Single Sign-On (commonly called AppSSO) by using the credentials that tanzu service class-claim creates.
For more information about how a Client application uses an AuthServer to authenticate an end user, see the Overview of Application Single Sign-On.
Follow these steps to deploy a minimal Spring Boot application:
List the available accelerators by running:
tanzu accelerator list
Expect to see an accelerator named appsso-starter-java
. This is the accelerator to use.
Create a project by running:
tanzu accelerator generate appsso-starter-java --server-url YOUR-TAP-SERVER-URI --options '{"appssoOfferingName": "my-login"}'
This command creates a zip file.
Unzip the file by running:
unzip appsso-starter-java.zip
Make the following changes in config/workload.yaml
:
serviceClaims
is the ServiceClaim
you generated in the previous step. Replace appsso-starter-java
in the serviceClaims
section with my-workload
.The following code sample claimes the ServiceClaim
from your appliction:
---
spec:
serviceClaims:
- name: YOUR-SERVICE-CLAIM
ref:
apiVersion: services.apps.tanzu.vmware.com/v1alpha1
kind: ClassClaim
name: YOUR-SERVICE-CLAIM
Deploy the workload by running:
kubectl apply -f config/workload.yaml
The ServiceClaim
connects your application to the AppSSO AuthServer
.
See the workload section of the Tanzu Application Platform Portal where you can find the URL for your workload at https://tap-gui.YOUR-TAP-CLUSTER-DOMAIN
.