blob: c5fabe1c9ff5a693434ca53a80cecc6a69883dda [file] [log] [blame]
Mohammed Naser90128aa2024-04-29 13:21:58 -04001#################
2Integration Guide
3#################
4
5This section provides detailed instructions on integrating external systems
6and services with Atmosphere, enhancing functionality and streamlining workflows.
7
8********
9Keycloak
10********
11
12Keycloak serves as a comprehensive identity and access management solution,
13facilitating the integration of various identity providers for centralized user
14authentication and authorization. By leveraging federated identity, Keycloak enables
15seamless Single Sign-On (SSO) capabilities across a suite of applications, enhancing
16the user experience and bolstering security measures.
17
18Identity Providers
19==================
20
21Incorporating identity providers into Keycloak allows users to authenticate via trusted
22external sources. This federated authentication scheme simplifies the login process by
23using existing credentials, whether from enterprise directories like LDAP or other
24identity services.
25
26Azure AD
27--------
28
29Azure AD is recognized for its extensive adoption and integration within the enterprise
30ecosystem, offers a secure and familiar authentication method for countless users.
31
32You can begin the integration process by creating an application registration in Azure AD
33and configuring the necessary settings in Keycloak. The following steps outline the
34procedure:
35
361. Sign in to the Azure portal and access the **Azure Active Directory** service.
372. Navigate to **App registrations** and click **New registration**.
383. Fill in the application name, select the account types it will serve, and
39 specify a **Redirect URI**.
40
41At this point, you'll need to grab the **Redirect URI** from the Keycloak client settings
42using the following steps:
43
441. Log into the Keycloak admin console using your administrator credentials.
452. Switch to the ``atmosphere`` realm where you'll be configuring Azure AD.
463. In the **Identity Providers** section, select **Add provider** and choose **Microsoft**.
474. Keycloak will generate a **Redirect URI** which you will use in the Azure AD
48 application registration process to ensure that authentication responses are
49 correctly routed.
50
51At this point, you'll be able to finalize the Azure AD application registration by
52following these remaining steps:
53
541. Return to the Azure AD application registration page and input the Redirect
55 URI from Keycloak.
562. After the application is registered, navigate to **Certificates & secrets**
57 to create a client secret.
583. Record the **Client ID** and **Client Secret** provided, as they will be
59 needed to configure Keycloak.
60
61At this point, you're ready to configure Keycloak with the Azure AD settings:
62
631. In the Keycloak admin console, navigate back to the `atmosphere` realm's
64 **Identity Providers** section.
652. For the Microsoft provider configuration, enter the **Client ID** and
66 **Client Secret** obtained from Azure AD.
673. Adjust any additional settings according to your requirements, such as the
68 default scopes, mappers, and other provider-specific configurations.
694. Save your changes to finalize the integration.
70
71By integrating Azure AD with Keycloak, you enable users to authenticate with
72their corporate credentials across all applications that are secured by
73Keycloak. This provides a consistent and secure user experience, leveraging
74the robust features of Azure AD within the flexible framework of Keycloak.
75
76For a deeper dive into the Azure AD configuration within Keycloak, consult the
77`Keycloak Microsoft Identity Provider documentation <https://www.keycloak.org/docs/latest/server_admin/#_microsoft>`_.
Rico Linbdb0fb12024-07-05 03:58:38 +080078
79*********************
80Neutron Policy Server
81*********************
82
83The `Neutron Policy Server <https://github.com/vexxhost/neutron-policy-server>`_ is a
84straightforward service that provides the ability to manage and enforce policy more
85complex policy rules inside Neutron.
86
87This service runs as a sidecar WSGI server that responds to ``oslo.policy`` ``HttpCheck``
88rules which are configured into the Neutron policy file.
89
90By default, the policy server is enabled and the Neutron policy is updated to include
91the necessary checks. In order to disable the policy server, set the
92``neutron_policy_server_integration_enabled`` variable to ``false`` in the deployment
93configuration.