Automate Guide
AppService status

SSO Server

Suggest Edits

General description

SSO Server is a component responsible for user authentication and authorization. Other applications (e.g. Admin panel) can integrate with it using OAuth.

Supported identity providers:

  • Kerberos protocol and SPNEGO negotiation mechanism for user authentication, combined with LDAP for authorization
  • Microsoft Entra ID for user authentication

API

Default port: 9000

Application should be accessible from outside of the Kubernetes cluster for its OAuth functionality to work.

There are default endpoints for monitoring purposes. They are described in Components monitoring section.

Databases

SQL

The component has its own SQL Database for storing OAuth related data. Main tables:

  • oauth_code - contains OAuth codes that can be used to obtain an access token
  • oauth_token - contains access tokens that can be used to access SSO Server API

Config

Application's config:

chatbots.sso-server {
  host: "" # publicly visible SSO Server's URL (only host) for generating links 
  is-https: true # is SSO Server available under SSL  
  
  db { 
    url: "jdbc:postgresql://HOST:PORT/chatbots-sso",
    user: "USER",
    password: "PASSWORD"
    max-connections: 3
  }

    # OAuth code time-to-live
    code-ttl: 30s
    # Access token time-to-live
    token-ttl: 30s
    # OAuth clients
    clients: [ 
      # Admin panel
      {
         # client id and secret have to match those in the Admin panel's config (chatbots.admin.sso-server)
         client-id: "123"
         client-secret: "234"
         redirect-uri: "https://admin-panel-public-url.com/ssoCallback"
     }
   ]

    spnego {
        # Kerberos principal
        principal: ""
        # Path to Kerberos keytab file
        keytab: ""
        # (Optional) Path to Kerberos configuration file (required for LDAP keytab authentication)
        krb-file: ""
    }

    ldap {
        # LDAP host
        host: "HOST"
        # LDAP port, usually 389 for non-secure and 636 for secure connection
        port: 389
        # Connection timeout (ms), 0 means no timeout
        timeout: 0

        # Flag indicating if connection should be secure
        use-ssl: true
        # (Optional) Path to the certificate (required for secure connection)
        cert-path: "/path/to/cert.pem"

        # Flag indicating if the keytab should be used for LDAP authentication
        use-keytab: true
        # (Optional) Whole username path eq: CN=User,CN=Users,DC=domain,DC=local (required if use-keytab is false)
        username: ""
        # (Optional) User password (required if use-keytab is false)
        password: ""

        # Base distinguished name (DN)
        base-dn: "dc=domain,dc=local"
        # Additional user filter, can be empty
        users-filter: "(&(objectCategory=person)(objectClass=user))"
        # Attribute containing username
        username-attribute: "sAMAccountName"
        # Attribute containing roles
        role-attribute: "memberOf"
        # Role prefix, other roles are ignored
        role-prefix: ""
        # Role pattern, it must either have exactly 2 unnamed groups (1st - organization, 2nd - role) or 2 named groups (org - organization, role - role)
        role-pattern: "([^_]+)_([^_]+)"
    }
    
    entra-id {
      tenant-id: ""
      client-id: ""
      client-secret: ""
    }
}

Other required configurations:

None

Play Framework config

More information about Play Framework could be found in Play Framework configuration section

Job execution

None

Troubleshooting

Nothing yet

Updated 22 days ago