SSO Server
General description
SSO Server is a component responsible for user authentication and authorization. Other applications (e.g. Admin panel) can integrate with it using OAuth.
Supported identity providers:
- Kerberos protocol and SPNEGO negotiation mechanism for user authentication, combined with LDAP for authorization
- Microsoft Entra ID for user authentication
API
Default port: 9000
Application should be accessible from outside of the Kubernetes cluster for its OAuth functionality to work.
There are default endpoints for monitoring purposes. They are described in Components monitoring section.
Databases
SQL
The component has its own SQL Database for storing OAuth related data. Main tables:
- oauth_code - contains OAuth codes that can be used to obtain an access token
- oauth_token - contains access tokens that can be used to access SSO Server API
Config
Application's config:
chatbots.sso-server {
host: "" # publicly visible SSO Server's URL (only host) for generating links
is-https: true # is SSO Server available under SSL
db {
url: "jdbc:postgresql://HOST:PORT/chatbots-sso",
user: "USER",
password: "PASSWORD"
max-connections: 3
}
# OAuth code time-to-live
code-ttl: 30s
# Access token time-to-live
token-ttl: 30s
# OAuth clients
clients: [
# Admin panel
{
# client id and secret have to match those in the Admin panel's config (chatbots.admin.sso-server)
client-id: "123"
client-secret: "234"
redirect-uri: "https://admin-panel-public-url.com/ssoCallback"
}
]
spnego {
# Kerberos principal
principal: ""
# Path to Kerberos keytab file
keytab: ""
# (Optional) Path to Kerberos configuration file (required for LDAP keytab authentication)
krb-file: ""
}
ldap {
# LDAP host
host: "HOST"
# LDAP port, usually 389 for non-secure and 636 for secure connection
port: 389
# Connection timeout (ms), 0 means no timeout
timeout: 0
# Flag indicating if connection should be secure
use-ssl: true
# (Optional) Path to the certificate (required for secure connection)
cert-path: "/path/to/cert.pem"
# Flag indicating if the keytab should be used for LDAP authentication
use-keytab: true
# (Optional) Whole username path eq: CN=User,CN=Users,DC=domain,DC=local (required if use-keytab is false)
username: ""
# (Optional) User password (required if use-keytab is false)
password: ""
# Base distinguished name (DN)
base-dn: "dc=domain,dc=local"
# Additional user filter, can be empty
users-filter: "(&(objectCategory=person)(objectClass=user))"
# Attribute containing username
username-attribute: "sAMAccountName"
# Attribute containing roles
role-attribute: "memberOf"
# Role prefix, other roles are ignored
role-prefix: ""
# Role pattern, it must either have exactly 2 unnamed groups (1st - organization, 2nd - role) or 2 named groups (org - organization, role - role)
role-pattern: "([^_]+)_([^_]+)"
}
entra-id {
tenant-id: ""
client-id: ""
client-secret: ""
}
}
Other required configurations:
None
Play Framework config
More information about Play Framework could be found in Play Framework configuration section
Job execution
None
Troubleshooting
Nothing yet
Updated about 2 months ago