Mohammed Naser | 90128aa | 2024-04-29 13:21:58 -0400 | [diff] [blame] | 1 | ################# |
| 2 | Integration Guide |
| 3 | ################# |
| 4 | |
| 5 | This section provides detailed instructions on integrating external systems |
| 6 | and services with Atmosphere, enhancing functionality and streamlining workflows. |
| 7 | |
| 8 | ******** |
| 9 | Keycloak |
| 10 | ******** |
| 11 | |
| 12 | Keycloak serves as a comprehensive identity and access management solution, |
| 13 | facilitating the integration of various identity providers for centralized user |
| 14 | authentication and authorization. By leveraging federated identity, Keycloak enables |
| 15 | seamless Single Sign-On (SSO) capabilities across a suite of applications, enhancing |
| 16 | the user experience and bolstering security measures. |
| 17 | |
| 18 | Identity Providers |
| 19 | ================== |
| 20 | |
| 21 | Incorporating identity providers into Keycloak allows users to authenticate via trusted |
| 22 | external sources. This federated authentication scheme simplifies the login process by |
| 23 | using existing credentials, whether from enterprise directories like LDAP or other |
| 24 | identity services. |
| 25 | |
| 26 | Azure AD |
| 27 | -------- |
| 28 | |
| 29 | Azure AD is recognized for its extensive adoption and integration within the enterprise |
| 30 | ecosystem, offers a secure and familiar authentication method for countless users. |
| 31 | |
| 32 | You can begin the integration process by creating an application registration in Azure AD |
| 33 | and configuring the necessary settings in Keycloak. The following steps outline the |
| 34 | procedure: |
| 35 | |
| 36 | 1. Sign in to the Azure portal and access the **Azure Active Directory** service. |
| 37 | 2. Navigate to **App registrations** and click **New registration**. |
| 38 | 3. Fill in the application name, select the account types it will serve, and |
| 39 | specify a **Redirect URI**. |
| 40 | |
| 41 | At this point, you'll need to grab the **Redirect URI** from the Keycloak client settings |
| 42 | using the following steps: |
| 43 | |
| 44 | 1. Log into the Keycloak admin console using your administrator credentials. |
| 45 | 2. Switch to the ``atmosphere`` realm where you'll be configuring Azure AD. |
| 46 | 3. In the **Identity Providers** section, select **Add provider** and choose **Microsoft**. |
| 47 | 4. Keycloak will generate a **Redirect URI** which you will use in the Azure AD |
| 48 | application registration process to ensure that authentication responses are |
| 49 | correctly routed. |
| 50 | |
| 51 | At this point, you'll be able to finalize the Azure AD application registration by |
| 52 | following these remaining steps: |
| 53 | |
| 54 | 1. Return to the Azure AD application registration page and input the Redirect |
| 55 | URI from Keycloak. |
| 56 | 2. After the application is registered, navigate to **Certificates & secrets** |
| 57 | to create a client secret. |
| 58 | 3. Record the **Client ID** and **Client Secret** provided, as they will be |
| 59 | needed to configure Keycloak. |
| 60 | |
| 61 | At this point, you're ready to configure Keycloak with the Azure AD settings: |
| 62 | |
| 63 | 1. In the Keycloak admin console, navigate back to the `atmosphere` realm's |
| 64 | **Identity Providers** section. |
| 65 | 2. For the Microsoft provider configuration, enter the **Client ID** and |
| 66 | **Client Secret** obtained from Azure AD. |
| 67 | 3. Adjust any additional settings according to your requirements, such as the |
| 68 | default scopes, mappers, and other provider-specific configurations. |
| 69 | 4. Save your changes to finalize the integration. |
| 70 | |
| 71 | By integrating Azure AD with Keycloak, you enable users to authenticate with |
| 72 | their corporate credentials across all applications that are secured by |
| 73 | Keycloak. This provides a consistent and secure user experience, leveraging |
| 74 | the robust features of Azure AD within the flexible framework of Keycloak. |
| 75 | |
| 76 | For a deeper dive into the Azure AD configuration within Keycloak, consult the |
| 77 | `Keycloak Microsoft Identity Provider documentation <https://www.keycloak.org/docs/latest/server_admin/#_microsoft>`_. |
Rico Lin | bdb0fb1 | 2024-07-05 03:58:38 +0800 | [diff] [blame] | 78 | |
| 79 | ********************* |
| 80 | Neutron Policy Server |
| 81 | ********************* |
| 82 | |
| 83 | The `Neutron Policy Server <https://github.com/vexxhost/neutron-policy-server>`_ is a |
| 84 | straightforward service that provides the ability to manage and enforce policy more |
| 85 | complex policy rules inside Neutron. |
| 86 | |
| 87 | This service runs as a sidecar WSGI server that responds to ``oslo.policy`` ``HttpCheck`` |
| 88 | rules which are configured into the Neutron policy file. |
| 89 | |
| 90 | By default, the policy server is enabled and the Neutron policy is updated to include |
| 91 | the necessary checks. In order to disable the policy server, set the |
| 92 | ``neutron_policy_server_integration_enabled`` variable to ``false`` in the deployment |
| 93 | configuration. |