SSORule CRD
SSORule CRD can be used to configure OAuth or SAML specific properties for L7 virtual services that are created by the
AKO
from Kubernetes Ingress and Openshift Route objects. The SSORule CRD specifies an fqdn
field, which is used to attach the SSORule
to a virtual service. A given SSORule
is applied to a virtual service if the virtual service hosts the fqdn specified in the SSORule
CRD object.The
SSORule
CRD can be used to configure either OAuth/OIDC properties or SAML service provider properties, along with the SSO policy. A sample SSORule
CRD object with OAuth/OIDC properties looks like this:apiVersion: ako.vmware.com/v1alpha2 kind: SSORule metadata: name: my-ssorule namespace: default spec: fqdn: my-ssorule.test.com oauthVsConfig: cookieName: OAUTH_XYZ cookieTimeout: 120 logoutURI: https://my-ssorule.test.com/oauth/logout oauthSettings: - appSettings: clientID: my-client-id clientSecret: my-oauth-secret oidcConfig: oidcEnable: true profile: true userinfo: true scopes: ["scope1"] authProfileRef: okta-oauth resourceServer: accessType: ACCESS_TOKEN_TYPE_OPAQUE introspectionDataTimeout: 60 opaqueTokenParams: serverID: my-server-id serverSecret: my-oauth-secret redirectURI: https://my-ssorule.test.com/oauth/callback postLogoutRedirectURI: https://my-ssorule.test.com/oauth/postLogoutRedirectURI ssoPolicyRef: oauth
A sample
SSORule
CRD object with SAML properties looks like this:apiVersion: ako.vmware.com/v1alpha2 kind: SSORule metadata: name: my-ssorule namespace: default spec: fqdn: my-ssorule.test.com samlSpConfig: authnReqAcsType: SAML_AUTHN_REQ_ACS_TYPE_NONE cookieName: saml-cookie cookieTimeout: 120 entityID: my-ssorule.test.com singleSignonURL: https://my-ssorule.test.com/sso/acs/ signingSslKeyAndCertificateRef: my-test-app-secret useIdpSessionTimeout: false ssoPolicyRef: saml-app
The
SSORule
CRD is supported only for Avi Load Balancer Controller
version 22.1.3 and above. It only supports the configuration of OAuth and SAML SSO protocols currently. Also, the SSORule
CRD is only supported for Enhanced Virtual Hosting (EVH). When the shard virtual service size is LARGE
or MEDIUM
or SMALL
, the OAuth and SAML settings will only be configured on the EVH child virtual services.Specific Usage of SSORule CRD
SSORule CRD can be created in a given namespace where the operator intends to have more control. The section below walks over the details and associated rules for using each field of the SSORule CRD.
SSORule to VS Matching Using FQDN
A given SSORule is applied to a virtual service if the VS hosts the fqdn mentioned in the
SSORule
CRD. This FQDN must exactly match the one the virtual service is hosting.fqdn: my-ssorule.test.com
Express OAuth/OIDC Configuration for Virtual Service
The
SSORule
CRD can be used to configure the OAuth/OIDC properties of an L7 virtual service. The OAuth/OIDC configuration needs to be specified in the oauthVsConfig
field.oauthVsConfig: cookieName: OAUTH_XYZ cookieTimeout: 120 logoutURI: https://my-ssorule.test.com/oauth/logout oauthSettings: - appSettings: clientID: my-client-id clientSecret: my-oauth-secret oidcConfig: oidcEnable: true profile: true userinfo: true scopes: ["scope1"] authProfileRef: okta-oauth resourceServer: accessType: ACCESS_TOKEN_TYPE_OPAQUE introspectionDataTimeout: 60 opaqueTokenParams: serverID: my-server-id serverSecret: my-oauth-secret redirectURI: https://my-ssorule.test.com/oauth/callback postLogoutRedirectURI: https://my-ssorule.test.com/oauth/postLogoutRedirectURI
The properties under the
oauthVsConfig
field are discussed in detail below:- Express Name for Authorized Session Cookie
- The cookieName property can be used to express the name of HTTP cookie for an authorized session. If this field is not specified,Avi Load Balancerwill create the authorized session cookie with a random name.cookieName: OAUTH_XYZ
- Express Timeout for Authorized Session Cookie
- ThecookieTimeoutproperty can be used to specify the HTTP cookie timeout in minutes for an authorized session. It supports values from 1 to 1440 and defaults to 60.cookieTimeout: 120
- Express Logout URI for OAuth
- ThelogoutURIproperty can be used to express the URI that will trigger OAuth logout.logoutURI: https://my-ssorule.test.com/oauth/logout
- Express Application and IDP settings for OAuth/OIDC
- TheoauthSettingsproperty can be used to express the application specific OAuth configuration and Identity Provider (IDP) settings for OAuth/OIDC. The application specific properties are specified as a list ofappSettingsproperties.
- Express Client ID
- TheclientIDproperty can be used to express the client ID for the application. It is an application-specific identifier registered with the authorization server or Identity Provider (IDP).clientID: my-client-id
- Express Client Secret
- TheclientSecretfield can be used to express the client secret for the application. It is an application specific identifier secret registered with the authorization server, or IDP. Since clientSecret is a sensitive field inAvi Load Balancer,AKOrequires it to be specified inside a Kubernetes Secret object. So, thisclientSecretfield must be the name of the Kubernetes secret object that specifies the actual client secret value (Base64 encoded) in the clientSecret data field. This Kubernetes secret object must be created in the same namespace as the SSORule.clientSecret: my-oauth-secretA sample Kubernetes secret object, with the actual value for client and secret (Base64 encoded) in theclientSecretdata field is shown below:apiVersion: v1 data: clientSecret: bXktY2xpZW50LXNlY3JldA== serverSecret: bXktc2VydmVyLXNlY3JldA== kind: Secret metadata: name: my-oauth-secret type: Opaque
- Express OpenID Connect Configuration
- The oidcConfig property can be used to express OpenID Connect specific configuration.oidcConfig: oidcEnable: true profile: true userinfo: true
- oidcEnable: If set to true, adds OpenID as one of the scopes enabling the OpenID Connect flow.
- profile: If set to true, will allow fetching profile information by enabling profile scope. It is set to true by default.
- userinfo: If set to true, will allow fetching profile information from the Userinfo Endpoint.
- Express Scope for OAuth
- The scopes property can be used to express the scope for OAuth to give limited access to the application.scopes: ["scope1"]
- Express Authentication Profile for OAuth
- SSORule CRD can be used to express the authentication profile reference for OAuth. The authentication profile must be created in theAvi Load Balancer Controllerbefore referring to it.authProfileRef: okta-oauthThe Auth Profile must specify all the endpoints and configurations associated with the Identity Provider (IDP) and will be used for validating users.
- Express Resource Server OAuth Configuration
- TheaccessTypeproperty can be used to express the access token type. The access token type can either beopaqueor JWT.accessType: ACCESS_TOKEN_TYPE_OPAQUEOraccessType: ACCESS_TOKEN_TYPE_JWT
- Express Introspection Data Timeout
- TheintrospectionDataTimeoutproperty can be used to set the lifetime of the cached introspection data in minutes. It supports values from Zero (0) to 1440 and defaults to Zero (0). However, it will be set only if the access token type is opaque.introspectionDataTimeout: 60
- Express Opaque Token Parameters
- TheopaqueTokenParamsproperty must be specified if theaccessTypeproperty isACCESS_TOKEN_TYPE_OPAQUE. It can be used to express the validation parameters to be used when the access token type is opaque. This Kubernetes secret object must be created in the same namespace as theSSORule.opaqueTokenParams: serverID: my-server-id serverSecret: my-oauth-secretTheserverIDproperty can be used to express the server ID for the resource server. It is the resource server specific identifier registered with the authorization server or Identity Provider(IDP), and is used to validate against the introspection endpoint when the access token type is opaque. TheserverSecretfield can be used to express the server secret for the resource server. It is a resource server specific identifier secret registered with the authorization server, or IDP. SinceserverSecretis a sensitive field inAvi Load Balancer,AKOrequires it to be specified inside a Kubernetes Secret object. So, this serverSecret field must be the name of the Kubernetes secret object that specifies the actual server secret value (Base64 encoded) in theserverSecretdata field. This Kubernetes secret object must be created in the same namespace as the SSORule. The server and client secrets can be specified in the same or different Kubernetes objects, as already shown in Express Client Secret.
- Express Redirect URI for OAuth
- SSORule CRD can be used to express the redirect URI that is specified in the request to the authorization server or Identity Provider (IDP). The redirect URI is the callback entry point of the application where the authorization server sends the user once the application has been successfully authorized and granted an authorization code.redirectURI: https://my-ssorule.test.com/oauth/callback
- Express Post Logout Redirect URI for OAuth
- SSORuleCRD can be used to express the post-logout redirect URI for the application. It is the URI to which the Identity Provider (IDP) will redirect after application logs out of the IDP.postLogoutRedirectURI: https://my-ssorule.test.com/oauth/postLogoutRedirectURI
- Express Application Specific SAML configuration
- SSORule CRD can be used to express the application specific configuration, namely, SAML service provider configuration for the L7 virtual service. The SAML service provider configuration needs to be specified in the samlSpConfig field.samlSpConfig: acsIndex: 64 authnReqAcsType: SAML_AUTHN_REQ_ACS_TYPE_INDEX cookieName: saml-cookie cookieTimeout: 120 entityID: my-ssorule.test.com singleSignonURL: https://my-ssorule.test.com/sso/acs/ signingSslKeyAndCertificateRef: my-test-app-secret useIdpSessionTimeout: falseThe properties under the samlSpConfig field are discussed in detail below.
- Express Assertion Consumer Service Index
- TheacsIndexproperty can be used to express the index to be used in theAssertionConsumerServiceIndexattribute of the authentication request. It will be set only if theauthnReqAcsTypeis set toSAML_AUTHN_REQ_ACS_TYPE_INDEX. It supports values from 0 to 64.acsIndex: 64
- Express Assertion Consumer Service Type for Authentication Request
- TheauthnReqAcsTypeproperty can be used to express the assertion consumer service type for authentication requests. It will determine theACSattributes that will be set in the authentication request. It supports the following three values:ValueDescriptionSAML_AUTHN_REQ_ACS_TYPE_NONENoACSattributes will be set in the SAML authentication requestSAML_AUTHN_REQ_ACS_TYPE_URLTheAssertionConsumerServiceURLattribute will be set in the SAML authentication request. TheACSURL must be equal to the single sign on URL set for the virtual serviceSAML_AUTHN_REQ_ACS_TYPE_INDEXTheAssertionConsumerServiceIndexattribute of the SAML authentication request will be set with the value specified in theacsIndexproperty
- Express Name for Authenticated Session Cookie
- ThecookieNameproperty can be used to express the name of HTTP cookie for an authenticated session. If this field is not specified,Avi Load Balancerwill create the authenticated session cookie with a random name.cookieName: saml-cookie
- Express Timeout for Authenticated Session Cookie
- The cookieTimeout property can be used to specify the timeout for HTTP cookie in minutes for an authenticated session. It supports values from 1 to 1440 and defaults to 60.cookieTimeout: 120
- Express Entity IP for SAML Service Provider Application
- TheentityIDproperty can be used to express the globally unique entity ID for the SAML Service Provider application. The SAML application entity ID on the Identity Provider (IDP) must match this.entityID: my-ssorule.test.com
- Express SslKeyAndCertificateRef for SAML Service Provider Application
- ThesigningSslKeyAndCertificateRefproperty can be used to expressSslKeyAndCertificatereference for the SAML Service Provider application. TheSslKeyAndCertificatemust be created in theAvi Load Balancer Controllerbefore referring to it. The service provider will use this SSL certificate to sign requests going to the Identity Provider (IDP) and decrypt the assertions coming from IDP.signingSslKeyAndCertificateRef: my-test-app-secret
- Express Single Sign on URL for SAML
- ThesingleSignonURLproperty can be used to express the single sign on URL for the application. It specifies the endpoint to receive the authentication response and the destination endpoint to be configured for the application on the IDP. If theauthnReqAcsTypeis set toSAML_AUTHN_REQ_ACS_TYPE_URL, this endpoint will be sent in theAssertionConsumerServiceURLattribute of the authentication request.singleSignonURL: https://my-ssorule.test.com/sso/acs/
- Express IDP Control for Service Provider Session Timeout
- TheuseIdpSessionTimeoutproperty can be used to enable the Identity Provider (IDP) to control the duration in which the Service Provider (SP) session can exist through theSessionNotOnOrAfterfield in theAuthNStatementof the SAML Response.useIdpSessionTimeout: false
- Express SSO Policy for the Virtual Service
- The SSORule CRD can be used to express the SSO policy reference for the virtual service. The SSO Policy must be created in theAvi Load Balancer Controllerbefore referring to it. The SSO policy can be of type OAUTH or SAML, depending on the SSO protocol that needs to be configured for the virtual service.ssoPolicyRef: my-sso-policyTheoauthVsConfigandsamlSpConfigare one of fields, and only one of them can be configured since a virtual service can specify either OAuth or SAML as the SSO protocol.
Status Messages
The status messages are used to give instantaneous feedback to the users about the reference objects specified in the SSORule CRD.
Following are some sample status messages:
$ kubectl get ssorule NAME STATUS AGE my-sso-rule Accepted 3d5s
Accepted SSORule Object
$ kubectl get ssorule NAME STATUS AGE my-sso-rule Accepted 3d5s
An SSORule is accepted only when all the reference objects specified inside it exist in the
Avi Load Balancer Controller
.Rejected SSORule object
$ kubectl get ssorule NAME STATUS AGE my-sso-rule-alt Rejected 2d23h
The detailed rejection reason can be obtained from the status:
status: error: authprofile "okta-oauth" not found on controller status: Rejected
Caveats
- SSORule is only supported for Enhanced Virtual Hosting (EVH)SSORule CRD is only supported for Enhanced Virtual Hosting (EVH). The OAuth and SAML settings will only be configured on virtual services when EVH is enabled. When shard virtual service size isLARGEorMEDIUMorSMALL, the OAuth and SAML settings will only be configured on the EVH child virtual services.
- SSORule can get rejected on OpensShift ifuseDefaultSecretsOnlyistruein theAKOconfigurationAn SSORule, created on an OpenShift cluster to configure OAuth settings for a virtual service, might get rejected ifuseDefaultSecretsOnlyis set totrueinAKOconfiguration. This is becauseAKOwill only handle default secrets in the namespace whereAKOis installed.
- SSORule deletionIf an SSORule is deleted, all the settings for the FQDNs are withdrawn from theAvi Load Balancer Controller.
- SSORule admissionAn SSORule CRD is only admitted if all the objects referenced in it exist in theAvi Load Balancer Controller. If, after admission, the object references are deleted out-of-band, theAKOdoes not re-validate the associated SSORule CRD objects. The user needs to manually edit or delete the object, for new changes to take effect.
- Duplicate FQDN rulesTwo SSORule CRDs cannot be used for the same FQDN information across namespaces. IfAKOfinds a duplicate FQDN in more than one SSORule,AKOhonours the first SSORule that gets created and rejects the others. In the case ofAKOreboots, the CRD that gets honoured might not be the same as the one honoured earlier.