11 software delivery problems solved by intelligence software delivery platform  Download
Select Page
Share

Introduction

Security Assertion Markup Language (SAML) is a standard used for user login to different applications like Spinnaker,  based on their logged-in sessions used in another context. This single sign-on (SSO) login standard has significant advantages over logging in using a username/password:

  • No need to type in credentials
  • No need to remember and renew passwords
  • No weak passwords

The scope of this guide is how to set up SAML authentication on Spinnaker using Okta as the Identity Provider.

Pre-Requisites

  1. Desired version of the Spinnaker installed
  2. Okta account with required users
  3. Admin Access to the Okta to add the Spinnaker application

Setting up Okta Account

  1. Navigate to https://www.okta.com/
  2. Click Signup and register for a new account.
  3. Get your Okta Account URL. 

Ex: https://opsmx-dev-admin.okta.com/

Configuring Spinnaker Authentication using SAML with Okta as IDP

  1. Configure a Spinnaker application in the Okta.
  2. Configure Halyard with Okta application.

  A. Configure a Spinnaker application in the Okta

  1. Login to Okta as the administrator (https://opsmx-dev-admin.okta.com/) using administrator Login.
  2. Configure Spinnaker as a new SSO Application. ( Navigate to Applications —>Create App Integration —> SAML2.0)
Create a new app integration

3. Provide the Required Name (e.g: Spinnaker) and Logo for the Custom Application.

4. Provide the SAML Settings Configuration.

  1. Single sign-on URL: This is the EndPoint to which Okta will send the SAML responses. For Spinnaker it is basically the Gate URL + /saml/SSO.
    1. Exhttps://test-spin.opsmx.com/gate/saml/SSO
    2. Note: The End point URL should be followed by /saml/SSO.
  2. Audience URI (SP Entity ID): Entity ID here should match with the Issuer ID in Spinnaker Halyard
    1. Ex: spind
  3. Name ID Format : Identifies the SAML processing rules and constraints for the assertion’s subject statement. Use the default value of ‘Unspecified’ unless the application explicitly requires a specific format. Set this to EmailAddress.
  4. Application username: Determines the default value for a user’s application username. The application username will be used for the assertion’s subject statement.  Set this to: Email.
  5. Group Attribute Statements:
    1. Name = memberOf, Name format = Unspecified, Filter = Regex: .*
  6. Click “Next”.
Configure SAML

g. The Create SAML Integration Feedback page, select the “I’m an Okta customer adding an internal app”   button, then hit the green “Finish” button.

h. Navigate back to this page by going to Applications -> applicationName ->            Sign On tab. Click the button “View Setup Instructions”.This will display the page with configuration information necessary to configure Spinnaker.
i. Download the Certificate and Save the metadata.xml file to your local. These are required to configure the Spinnaker.

J. Download the Certificate and Save the metadata.xml file to your local. These are required to configure the Spinnaker.

   Finally, you can assign the required Users/Groups to access the Spinnaker Application.

B. Configure the Halyard to use the Spinnaker Okta for Authentication.

1. Create a SAML KeyStore for Spinnaker

				
					keytool -genkey -v -keystore spinnaker.jks -alias saml -keyalg RSA -keysize 2048 -validity 10000
				
			

2. Configure the Spinnaker to use the Okta as SAML Authentication.

				
					hal config security authn saml edit \
--keystore $KEYSTORE_PATH \
--keystore-alias saml \
--keystore-password $KEYSTORE_PASSWORD \
--metadata $METADATA_PATH \
--issuer-id $ISSUER_ID \
--service-address-url $SERVICE_ADDR_URL
				
			

      SERVICE_ADDR_URL is the Spinnaker gate endpoint URL.

  3. Enable SAML authentication.

				
					hal config security authn saml enable
				
			

4.Apply the halyard changes

				
					hal deploy apply
				
			
  1.  

5. Verify Spinnaker authentication

        Once changes are applied, you can verify Spinnaker authentication. It should take you to the Okta login page and should be able to authenticate to Spinnaker successfully.

Vamsi Krishna

Vamsi Krishna is a Software Engineer at OpsMx and has over 5+ years of industrial expertise in the DevOps domain. He has previously worked in companies like IBM, Kloud9. His current assignments involve, build and release activities with the high efficient CI/CD tools on to the different environments (both on-prem and Cloud), design and build and deliver highly scalable applications while extending existing Open Source platforms. He has fair knowledge in building a microservice-based application on to the Kubernetes Clusters hosted on different cloud Environments and in integrating DevOps Applications end to end and implementing the complete Automated systems as per the requirements. He holds CKA certification. He has also developed ticketing systems using Jira Administration for the Projects. His areas of expertise include - Cloud, GCP, Kubernetes/ Docker, Jenkins, Jira,Git, High Availability.

0 Comments

Submit a Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.