In this blog post, we will walk through the configuration of an Identity Provider (IdP) and create an OIDC Public Application Client, which will be used to grant access to a PAIS deployment. As of this blog post, the instructions for setting up the required IdP will be based on Authentik (which I have blogged about before), which is a free and self-hosted IdP solution.
Note: I am also looking to get this working using Keycloak, but currently I am still debugging some issues, so will provide an updated blog post once I can also use Keycloak as an IdP for PAIS.
Requirements:
- DNS entry for IdP (e.g. auth2.vcf.lab)
- DNS placeholder entry for the PAIS deployment instance (e.g. pais.vcf.lab)
- vSphere environment to deploy the IdP
Step 1 - Install Authentik, which is easy using docker-compose, which you can run in a small dedicated VM and follow the instructions here to grab the YAML manifest. You can customize the configuration including supporting air-gapped configuration as well as port changes (I default to 80/443), which I have done in my own environment. After that, just run docker-compose up -d to start up the application.
If you need to use/generate your own self-signed TLS certificate, please see this blog post for more details.
Step 2 - Once Authentik has initialized, login as the admin user and navigate to Customizations->Property Mappings and create a new Scope Mapping property which will allow us to include the groups scope which is not enabled by default with Authentik. You can choose any name you wish but ensure the scope/expression matches below:
- Name: pais-group-scope-mapping
- Scope name: groups
- Expression:
return {"groups": [group.name for group in user.ak_groups.all()]}
Step 3 - Navigate to Directory->Groups and create a new group, which you can chose any name that will contain users that will be allowed to access the PAIS service
- Name: pais-users
Step 4 - Navigate to Directory->Users and create individual users (include Username, Name, Type=Internal, Email) that will be part of the group from the previous step. Once a user has been created, you will need to edit the user to set the desired credentials as well as assign group membership.
Step 5 - Navigate to Applications->Applications and start the Create with Provider workflow which will combine both the OIDC Application and Provider wizards into a single workflow.
- Name: pais
- Provider Type: OAuth2/OpenID Provider
- Name: pais-provider
- Authorization Flow: default-provider-authorization-explicit-consent
- Client Type: Public
- Redirect URLs/Origin: https://pais.vcf.lab (DNS placeholder entry that we will allocate in DNS once we know the IP Address of accessing PAIS service)
- Signing key: authentik Self-signed Certificate (do NOT change it to any other certificate)
- Advanced Flow Settings->Scopes: email, openid, profile and pais-group-scope-mapping (from Step 2)
Create a new Policy/User/Group Binding for Group and select the group that you created in Step 3 and then complete the wizard for creating the required OIDC Application/Provider for PAIS.
- Name: pais-users
Step 6 - Lastly, we will need to retrieve two pieces of information from our newly created OIDC Application for the PAIS configuration. Navigate to Providers and click on created provider (e.g. pais-provider) and make a note of the Client ID and OpenID Configuration Issuer, these will be referenced in the next blog post for setting up PAIS.
Thanks for the comment!