doc/source/admin/integration.rst - atmosphere - Gitiles

 #################
 Integration Guide
 #################

 This section provides detailed instructions on integrating external systems
 and services with Atmosphere, enhancing functionality and streamlining workflows.

 ********
 Keycloak
 ********

 Keycloak serves as a comprehensive identity and access management solution,
 facilitating the integration of various identity providers for centralized user
 authentication and authorization. By leveraging federated identity, Keycloak enables
 seamless Single Sign-On (SSO) capabilities across a suite of applications, enhancing
 the user experience and bolstering security measures.

 Identity Providers
 ==================

 Incorporating identity providers into Keycloak allows users to authenticate via trusted
 external sources. This federated authentication scheme simplifies the login process by
 using existing credentials, whether from enterprise directories like LDAP or other
 identity services.

 Azure AD
 --------

 Azure AD is recognized for its extensive adoption and integration within the enterprise
 ecosystem, offers a secure and familiar authentication method for countless users.

 You can begin the integration process by creating an application registration in Azure AD
 and configuring the necessary settings in Keycloak. The following steps outline the
 procedure:

 1. Sign in to the Azure portal and access the **Azure Active Directory** service.
 2. Navigate to **App registrations** and click **New registration**.
 3. Fill in the application name, select the account types it will serve, and
    specify a **Redirect URI**.

 At this point, you'll need to grab the **Redirect URI** from the Keycloak client settings
 using the following steps:

 1. Log into the Keycloak admin console using your administrator credentials.
 2. Switch to the ``atmosphere`` realm where you'll be configuring Azure AD.
 3. In the **Identity Providers** section, select **Add provider** and choose **Microsoft**.
 4. Keycloak will generate a **Redirect URI** which you will use in the Azure AD
    application registration process to ensure that authentication responses are
    correctly routed.

 At this point, you'll be able to finalize the Azure AD application registration by
 following these remaining steps:

 1. Return to the Azure AD application registration page and input the Redirect
    URI from Keycloak.
 2. After the application is registered, navigate to **Certificates & secrets**
    to create a client secret.
 3. Record the **Client ID** and **Client Secret** provided, as they will be
    needed to configure Keycloak.

 At this point, you're ready to configure Keycloak with the Azure AD settings:

 1. In the Keycloak admin console, navigate back to the `atmosphere` realm's
    **Identity Providers** section.
 2. For the Microsoft provider configuration, enter the **Client ID** and
    **Client Secret** obtained from Azure AD.
 3. Adjust any additional settings according to your requirements, such as the
    default scopes, mappers, and other provider-specific configurations.
 4. Save your changes to finalize the integration.

 By integrating Azure AD with Keycloak, you enable users to authenticate with
 their corporate credentials across all applications that are secured by
 Keycloak. This provides a consistent and secure user experience, leveraging
 the robust features of Azure AD within the flexible framework of Keycloak.

 For a deeper dive into the Azure AD configuration within Keycloak, consult the
 `Keycloak Microsoft Identity Provider documentation <https://www.keycloak.org/docs/latest/server_admin/#_microsoft>`_.

 *********************
 Neutron Policy Server
 *********************

 The `Neutron Policy Server <https://github.com/vexxhost/neutron-policy-server>`_ is a
 straightforward service that provides the ability to manage and enforce policy more
 complex policy rules inside Neutron.

 This service runs as a sidecar WSGI server that responds to ``oslo.policy`` ``HttpCheck``
 rules which are configured into the Neutron policy file.

 By default, the policy server is enabled and the Neutron policy is updated to include
 the necessary checks.  In order to disable the policy server, set the
 ``neutron_policy_server_integration_enabled`` variable to ``false`` in the deployment
 configuration.
	#################
	Integration Guide
	#################

	This section provides detailed instructions on integrating external systems
	and services with Atmosphere, enhancing functionality and streamlining workflows.

	********
	Keycloak
	********

	Keycloak serves as a comprehensive identity and access management solution,
	facilitating the integration of various identity providers for centralized user
	authentication and authorization. By leveraging federated identity, Keycloak enables
	seamless Single Sign-On (SSO) capabilities across a suite of applications, enhancing
	the user experience and bolstering security measures.

	Identity Providers
	==================

	Incorporating identity providers into Keycloak allows users to authenticate via trusted
	external sources. This federated authentication scheme simplifies the login process by
	using existing credentials, whether from enterprise directories like LDAP or other
	identity services.

	Azure AD
	--------

	Azure AD is recognized for its extensive adoption and integration within the enterprise
	ecosystem, offers a secure and familiar authentication method for countless users.

	You can begin the integration process by creating an application registration in Azure AD
	and configuring the necessary settings in Keycloak. The following steps outline the
	procedure:

	1. Sign in to the Azure portal and access the Azure Active Directory service.
	2. Navigate to App registrations and click New registration.
	3. Fill in the application name, select the account types it will serve, and
	specify a Redirect URI.

	At this point, you'll need to grab the Redirect URI from the Keycloak client settings
	using the following steps:

	1. Log into the Keycloak admin console using your administrator credentials.
	2. Switch to the ``atmosphere`` realm where you'll be configuring Azure AD.
	3. In the Identity Providers section, select Add provider and choose Microsoft.
	4. Keycloak will generate a Redirect URI which you will use in the Azure AD
	application registration process to ensure that authentication responses are
	correctly routed.

	At this point, you'll be able to finalize the Azure AD application registration by
	following these remaining steps:

	1. Return to the Azure AD application registration page and input the Redirect
	URI from Keycloak.
	2. After the application is registered, navigate to Certificates & secrets
	to create a client secret.
	3. Record the Client ID and Client Secret provided, as they will be
	needed to configure Keycloak.

	At this point, you're ready to configure Keycloak with the Azure AD settings:

	1. In the Keycloak admin console, navigate back to the `atmosphere` realm's
	Identity Providers section.
	2. For the Microsoft provider configuration, enter the Client ID and
	Client Secret obtained from Azure AD.
	3. Adjust any additional settings according to your requirements, such as the
	default scopes, mappers, and other provider-specific configurations.
	4. Save your changes to finalize the integration.

	By integrating Azure AD with Keycloak, you enable users to authenticate with
	their corporate credentials across all applications that are secured by
	Keycloak. This provides a consistent and secure user experience, leveraging
	the robust features of Azure AD within the flexible framework of Keycloak.

	For a deeper dive into the Azure AD configuration within Keycloak, consult the
	`Keycloak Microsoft Identity Provider documentation <https://www.keycloak.org/docs/latest/server_admin/#_microsoft>`_.

	*********************
	Neutron Policy Server
	*********************

	The `Neutron Policy Server <https://github.com/vexxhost/neutron-policy-server>`_ is a
	straightforward service that provides the ability to manage and enforce policy more
	complex policy rules inside Neutron.

	This service runs as a sidecar WSGI server that responds to ``oslo.policy`` ``HttpCheck``
	rules which are configured into the Neutron policy file.

	By default, the policy server is enabled and the Neutron policy is updated to include
	the necessary checks. In order to disable the policy server, set the
	``neutron_policy_server_integration_enabled`` variable to ``false`` in the deployment
	configuration.