Application Single Sign-On (AppSSO) – Static Test User Configuration for VMware Tanzu Application Platform
How to deploy an authorization server with static test users along with a Tanzu Application Platform iterate profile
Author: Indu R Pillai
Application Single Sign-On for VMware Tanzu, short AppSSO, provides APIs for curating and consuming a “single sign-on as a service” offering on VMware Tanzu Application Platform. With AppSSO, Service Operators can configure and deploy authorization servers. Application Operators can then configure their workloads with these authorization servers to provide single sign-on to their end users.
During development, static users may be useful for testing purposes. This blog provides steps to deploy an authorization server with static test users along with a Tanzu Application Platform iterate profile. This feature helps to integrate authentication and authorization decisions early in the software development and release lifecycle.
Prerequisites
- Cluster with TAP iterate profile installed
- Access to Tanzunet
- Docker running on a local machine/client.
- Tanzu CLI(v0.25.0)
- Kubectl
- TAP 1.3.0
Install AppSSO Package
AppSSO Package is available from Tanzu Application Platform 1.2.0 with profiles full, iterate, and run. In this example, we are using Tanzu Application Platform version 1.3.0 with the iterate profile to set up AppSSO (2.0.0).
- Create ‘
tap-values.yaml
’ with the iterate profile.
|
- Update
shared.ingress_domain
section with ingress domain.INGRESS-DOMAIN
is the subdomain for the host name that you point at thetanzu-shared-ingress
service’s external IP address.
- Install Tanzu Application Platform with
TAP_VERSION
1.2.0 or above. In this example, we are using TAP version 1.3.0.
|
- Verify AppSSO is installed.
|
|
For more information, please find the Tanzu Application Platform installation guidelines in the official documentation.
Setup Auth server
- Create
authservers
namespace for deploying authservers.
|
2. Create authserver_unsafe_user.yaml
with AuthServer configurations for using Internal unsafe user.
|
|
Please note: AppSSO will template the issuer URI and create a TLS-enabled Ingress for it. Once you create the AuthServer, you can find the actual URL in .status.issuerURI. In this configuration, we have disabled TLS and used the unsafe configuration. If issuer URL is not https, make sure to add the annotation: sso.apps.tanzu.vmware.com/allow-unsafe-issuer-uri:
""
in authserver_unsafe_user.yaml
- Apply
authserver_unsafe_user.yaml
toauthservers
namespace.
|
- Verify authserver is successfully deployed.
$ kubectl get authserver authserver-sample -n authservers
NAME
REPLICAS
ISSUER URI
CLIENTS
STATUS
authserver-sample
2
http://authserver-sample.authservers.apps.appssotest.cloudfocused.in
0
Ready
- Verify the test user can login:
- Go to the issuer URI (e.g. http://authserver-sample.authservers.apps.appssotest.cloudfocused.in/).
- Enter the username as “ernie” (test user mentioned in
authserver_unsafe_user.yaml
). Click submit. - Enter password as “password”. Click on Sign-In.
- Verify login is successful with message “This is the home page placeholder. You have successfully logged in, but have nowhere to go.”
Set up workload
- Create a namespace workloads for deploying workloads.
$ kubectl create ns workloads
- Set up namespace by applying
registry-credentials
and developer namespace configurations. Please find the details in the official documentation.
- Add read/write registry credentials to the developer namespace. Refer to step 1 in the documentation.
|
- Add secrets, a service account to execute the supply chain, and RBAC rules to authorize the service account to the developer namespace (
workloads
namespace). Refer to step 2 in the documentation.
- Create
client.yaml
file.
|
- Apply the client registration.
|
- Verify the client registration status is
Ready
. Please ignore the warnings, if any.
|
- Create a service claim with client registration details. Please note that the claim name should match the end of the redirect-uri in the client registration. Refer
client.yaml
|
- Verify service claim status is
Ready: True
|
- Create workload using sample appsso-starter-java.
|
- Verify the workload is in Ready status.
|
- Navigate to the Application URL, e.g. http://appsso-starter-java.workloads.apps.appssotest.cloudfocused.in/home
- Click on Login using App SSO button.
- Enter the test user credentials. Username: “ernie”, Password: “password”
- Verify the logged-in page is displayed.
Reference
- Official documentation: Application Single Sign-On for VMware Tanzu® (2.0.0) https://docs.vmware.com/en/VMware-Tanzu-Application-Platform/1.3/tap/GUID-app-sso-about.html