Application Single Sign-On (AppSSO) – Static Test User Configuration for VMware Tanzu Application Platform
How to deploy an authorization server with static test users along with a Tanzu Application Platform iterate profile
Author: Indu R Pillai
Application Single Sign-On for VMware Tanzu, short AppSSO, provides APIs for curating and consuming a “single sign-on as a service” offering on VMware Tanzu Application Platform. With AppSSO, Service Operators can configure and deploy authorization servers. Application Operators can then configure their workloads with these authorization servers to provide single sign-on to their end users.
During development, static users may be useful for testing purposes. This blog provides steps to deploy an authorization server with static test users along with a Tanzu Application Platform iterate profile. This feature helps to integrate authentication and authorization decisions early in the software development and release lifecycle.
- Cluster with TAP iterate profile installed
- Access to Tanzunet
- Docker running on a local machine/client.
- Tanzu CLI(v0.25.0)
- TAP 1.3.0
Install AppSSO Package
AppSSO Package is available from Tanzu Application Platform 1.2.0 with profiles full, iterate, and run. In this example, we are using Tanzu Application Platform version 1.3.0 with the iterate profile to set up AppSSO (2.0.0).
- Create ‘
tap-values.yaml’ with the iterate profile.
shared.ingress_domainsection with ingress domain.
INGRESS-DOMAINis the subdomain for the host name that you point at the
tanzu-shared-ingressservice’s external IP address.
- Install Tanzu Application Platform with
TAP_VERSION1.2.0 or above. In this example, we are using TAP version 1.3.0.
- Verify AppSSO is installed.
For more information, please find the Tanzu Application Platform installation guidelines in the official documentation.
Setup Auth server
authserversnamespace for deploying authservers.
authserver_unsafe_user.yaml with AuthServer configurations for using Internal unsafe user.
Please note: AppSSO will template the issuer URI and create a TLS-enabled Ingress for it. Once you create the AuthServer, you can find the actual URL in .status.issuerURI. In this configuration, we have disabled TLS and used the unsafe configuration. If issuer URL is not https, make sure to add the annotation:
- Verify authserver is successfully deployed.
$ kubectl get authserver authserver-sample -n authservers
- Verify the test user can login:
- Go to the issuer URI (e.g. http://authserver-sample.authservers.apps.appssotest.cloudfocused.in/).
- Enter the username as “ernie” (test user mentioned in
authserver_unsafe_user.yaml). Click submit.
- Enter password as “password”. Click on Sign-In.
- Verify login is successful with message “This is the home page placeholder. You have successfully logged in, but have nowhere to go.”
Set up workload
- Create a namespace workloads for deploying workloads.
$ kubectl create ns workloads
- Set up namespace by applying
registry-credentialsand developer namespace configurations. Please find the details in the official documentation.
- Add read/write registry credentials to the developer namespace. Refer to step 1 in the documentation.
- Add secrets, a service account to execute the supply chain, and RBAC rules to authorize the service account to the developer namespace (
workloadsnamespace). Refer to step 2 in the documentation.
- Apply the client registration.
- Verify the client registration status is
Ready. Please ignore the warnings, if any.
- Create a service claim with client registration details. Please note that the claim name should match the end of the redirect-uri in the client registration. Refer
- Verify service claim status is
- Create workload using sample appsso-starter-java.
- Verify the workload is in Ready status.
- Navigate to the Application URL, e.g. http://appsso-starter-java.workloads.apps.appssotest.cloudfocused.in/home
- Click on Login using App SSO button.
- Enter the test user credentials. Username: “ernie”, Password: “password”
- Verify the logged-in page is displayed.
- Official documentation: Application Single Sign-On for VMware Tanzu® (2.0.0) https://docs.vmware.com/en/VMware-Tanzu-Application-Platform/1.3/tap/GUID-app-sso-about.html