github.com/caos/orbos@v1.5.14-0.20221103111702-e6cd0cea7ad4/docs/boom/sso-examples.md (about) 1 # Examples to use SSO 2 3 This yaml-parts are only examples and there are alot of additional configurations possible, but they should desplay the most used cases. 4 5 First-of, all application have to have an DNS-record which can be defined as followed, as an example with grafana: 6 7 ```yaml 8 apiVersion: boom.caos.ch/v1beta1 9 kind: Toolset 10 metadata: 11 name: caos 12 namespace: caos-system 13 spec: 14 grafana: 15 deploy: true 16 network: 17 domain: grafana.example.caos.ch 18 email: "hi@caos.ch" 19 acmeAuthority: "https://acme-staging-v02.api.letsencrypt.org/directory" 20 ``` 21 22 the same for argocd: 23 ```yaml 24 argocd: 25 deploy: true 26 network: 27 domain: argocd.example.caos.ch 28 email: "hi@caos.ch" 29 acmeAuthority: "https://acme-staging-v02.api.letsencrypt.org/directory" 30 ``` 31 32 # Grafana 33 34 In the IDP used for auth there has to be a registered client with clientID and clientSecret, whereas there also has to be a registered redirectURI. This redirectURI should be *domain-for-grafana*/login/*id*, for example with google: "https://grafana.example.caos.ch/login/google". 35 36 All configuration for SSO is under the "auth"-attribute, whereas the domain has to be set correctly so that the redirect works correctly: 37 38 ```yaml 39 apiVersion: boom.caos.ch/v1beta1 40 kind: Toolset 41 metadata: 42 name: caos 43 namespace: caos-system 44 spec: 45 grafana: 46 deploy: true 47 auth: 48 ``` 49 50 ## Google 51 52 The use google as IDP there is the possbility to limit the allowed hosted-domains: 53 54 ```yaml 55 google: 56 existingClientIDSecret: 57 name: google-auth 58 key: client_id 59 existingClientSecretSecret: 60 name: google-auth 61 key: client_secret 62 allowedDomains: 63 - caos.ch 64 ``` 65 66 ## Gitlab 67 68 The use google as IDP there is the possbility to limit the allowed groups: 69 70 ```yaml 71 gitlab: 72 existingClientIDSecret: 73 name: gitlab-auth 74 key: client_id 75 existingClientSecretSecret: 76 name: gitlab-auth 77 key: client_secret 78 allowedGroups: 79 - caos 80 ``` 81 82 ## Github 83 84 The use google as IDP there is the possbility to limit the allowed organizations: 85 86 ```yaml 87 github: 88 existingClientIDSecret: 89 name: github-auth 90 key: client_id 91 existingClientSecretSecret: 92 name: github-auth 93 key: client_secret 94 allowedOrganizations: 95 - caos 96 ``` 97 98 ## GenericOIDC 99 100 To use any generic OIDC as IDP: 101 102 ```yaml 103 genericOAuth: 104 existingClientIDSecret: 105 name: oidc-auth 106 key: client_id 107 existingClientSecretSecret: 108 name: oidc-auth 109 key: client_secret 110 scopes: 111 - openid 112 - profile 113 - email 114 authURL: 115 tokenURL: 116 apiURL: 117 allowedDomains: 118 - mycompany.com 119 - mycompany.org 120 ``` 121 122 # Argocd 123 124 In the IDP used for auth there has to be a registered client with clientID and clientSecret, whereas there also has to be a registered redirectURI. This redirectURI should be *domain-for-argocd*/login/*id*, for example with google: "https://argocd.example.caos.ch/api/dex/callback". 125 126 All configuration for SSO is under the "auth"-attribute: 127 128 ```yaml 129 apiVersion: boom.caos.ch/v1beta1 130 kind: Toolset 131 metadata: 132 name: caos 133 namespace: caos-system 134 spec: 135 Argocd: 136 deploy: true 137 auth: 138 ``` 139 140 ## Google 141 142 The use google as IDP there is the possbility to limit the allowed hosted-domains: 143 144 ```yaml 145 google: 146 id: google 147 name: google 148 config: 149 existingClientIDSecret: 150 name: google-auth 151 key: client_id 152 existingClientSecretSecret: 153 name: google-auth 154 key: client_secret 155 hostedDomains: 156 - caos.ch 157 ``` 158 159 ## Gitlab 160 161 The use google as IDP there is the possbility to limit the allowed groups: 162 163 ```yaml 164 gitlab: 165 id: gitlab 166 name: gitlab 167 config: 168 existingClientIDSecret: 169 name: gitlab-auth 170 key: client_id 171 existingClientSecretSecret: 172 name: gitlab-auth 173 key: client_secret 174 groups: 175 - caos 176 ``` 177 178 ## Github 179 180 The use google as IDP there is the possbility to limit the allowed organizations: 181 182 ```yaml 183 github: 184 id: github 185 name: github 186 config: 187 existingClientIDSecret: 188 name: github-auth 189 key: client_id 190 existingClientSecretSecret: 191 name: github-auth 192 key: client_secret 193 orgs: 194 - name: caos 195 ``` 196 197 198 ## OIDC 199 200 To use any generic OIDC as IDP: 201 202 ```yaml 203 oidc: 204 Name: unique 205 Issuer: test 206 existingClientIDSecret: 207 name: oidc-auth 208 key: client_id 209 existingClientSecretSecret: 210 name: oidc-auth 211 key: client_secret 212 RequestedScopes: 213 - openid 214 - profile 215 - email 216 # optional 217 RequestedIDTokenClaims: 218 groups: 219 essential: true 220 ```