 Well, hello and welcome everybody to this OpenShift Commons briefing today We're really pleased to have a presentation on best practices for SSO And we're going to be talking about using a key cloak for our OpenShift enterprise We have with us Bill DeCoste who's a software engineer on the OpenShift team and Geogenes Ritori who's one of our product managers for OpenShift as well and we're going to do this so that we let the guys give a 20-30 minute presentation with a demo and then afterwards we'll do Q&A If you could enter your your questions in the chat We'll read them out and unmute you so you can do follow-up But without further ado, I'd like to let Geogenes introduce the topic and introduce Bill Alright, thanks everyone for your time again. Geogenes Ritori here. I'm happy to have Bill joining me So this today, I'm going to talk a little bit just do a level set on some of the Meteora services We have an OpenShift already and then a little bit on our ideas for SSO And then after that we're going to have Bill doing let's say the majority of the work So he's the man here. He'll be doing very cool demonstrations for you. So Bill next slide please Go tank. So this is this are some of the services we have on OpenShift today. So right hat We are we work with ourselves and we work with partners to bring more and more capabilities into OpenShift Some of the services that are already available there are some of the let's say the the types of workloads you can run an OpenShift Our mention here just mention like let's say the most popular ones We've seen which is Jboss CAP so we have today Jboss CAP run an OpenShift And our integration is such that for example if you spin up two containers of Jboss It automatically creates and configures a cluster for use. You don't have to do anything We have just recently added our a decision service which comes from the business rules management system product And with that you can make sure your rules Execution happen, happen from your application Source code and you can evolve your business rules separately from the rest of your application We recently added a data caching solution distributed data caching solution with data grid You can also have your very nice camera routes running as in to video microservices with a few solution We had messaging already and I'm sure you know that you can also Tomcat and integrate with Jboss developers to you as well next slide please so this There are other types of services that we wanted to bring to the OpenShift platform So before let's say there were essentially Services to build your application, but we believe there are also infrastructure services that your application requires, right? Or let's say even API services. So we'll be soon introducing API services to OpenShift via API management And the community project is API man. So we have work under going to Have a API managing gateway and OpenShift integrated with the platform So you'd be able to secure API's control access to it Every all from the OpenShift platform and another very common request we have another very common use case is the ability to secure Applications itself from from from another perspective and also now allowing single sign-on so we're Introducing Jboss key cloak as a tech preview in OpenShift. The name of the product is Red Hat single sign-on OpenShift is the first ones to receive this the stack preview. It has not been announced to the general public. So it is available for Customers and people that want to try it on OpenShift So it's going to be very I'm very happy to have Bill demonstrating this and our intention with single sign-on is that again We do the hard lifting for you you define your your your roles in your own application and then Connect your application to our single sign-on and you don't have to do anything else, right? So with that Thanks, and I'm going to transition over to Bill who's going to be let's say explaining a little bit more in details What so we're talking about and running into demos Bill on you. Thank you. Thanks, Dan Great, thanks. Thanks, Agnes just to check and can you hear me? Okay? Perfectly Okay, great So I'll go through a couple of slides quickly and then I'll jump over to a demo I think a demo is worth a thousand slides particular in this case So what I'm going to focus on is is really what we're what we've got today for Docker images or OpenShift images for SSO and for enabling SSO for JEE application So this is really to provide SSO to the end user applications as Diogenes mentioned it's it's based on Community project key cloak and the latest version that I'll be demoing is 192 Key pieces that it supports both OAuth 2.0 and and OpenID connect on top of it as well as SAML and You'll see this in the demo More clearly But one of the cool things about OpenShift and what the images provide on top of OpenShift is the auto wiring and auto configuration Of deployed applications when you actually go, you know drop your war file onto an application server and it's it's got a trigger in it that says hey I want to be SSO enabled it'll go configure both the SSO server the key cloak server as well as All the configuration over on the application side as well Today we support EAP based web apps essentially war deployment. So, you know web applications and web services There are four new Images three of which are a kind of particular concern and those are the bottom three bullets that you see there There's the SSO or key cloak server image There's and then there are two other images that we've One has been out for a while the EAP 64 OpenShift image and there's one that's in Beta right now for EAP 7 and these have been enhanced so that they've now got SSO kind of enabled capabilities, which which you'll see in the demo So I'll dig a little bit deeper into each one of these the the The key cloak or SSO server is really just a GE application. So it's deployed on top of its own EAP 7 instance Couple kind of details we we actually base this particular image on a standalone image, which is you know non-OpenShift goodness So it's just a straight docker image and Just like all the other images that we provide for kind of the JBoss before portfolio or XPAS You can go and can modify the configuration of each one of these images by passing in environmental variables Like we'll see a little bit of that in the demo, but a generic example is hey I need to go and enable HTTPS right so where am I going to go and point it to the proper certificates or key pairs? one of the other kind of key pieces of the SSO server configuration is In in you can go and create all of the the server configuration in one big JSON file and import it and export it We have that capability as well inside of OpenShift So if you don't want to do manual configuration, you've got your blessed SSO server configuration You can go and import that we use OpenShift secret mechanisms to provide that And also one other piece that I just wanted to mention is we out of the box will go create an admin or a user with admin capabilities Obviously, that's configurable when you go and actually spin up the the server Then the next kind of quick point is the EAP6 and EAP7 images They both they essentially what it is is all the their capabilities for Enabling SSO for your deployed applications and they is in there and the when you actually go to pull your application The image will notice that it's either a keyed for this It's kind of a trigger in there that I'll show you in the source code For for even either OAuth 2.0 and OpenID connect or SAML so that when it's when it recognizes that an application is saying hey I'm a SAML application go auto wire me auto configure me That'll look at picked up and the image will take care of that same ENV mechanism Good example here is when you go and deploy an application One of the things you want to tell it is or tell the image is hey Where is the SSO server that I want to use to secure my application? So there's an ENV for that When you go and deploy your application on top of EAP and you've got that little flag or trigger that says hey I'm a key cloak application What'll happen is it'll go and make a call over to the SSO server to say hey He I'm a new app that needs to be secured Through key cloak and auto configure me a particular client and and so it'll do all the configuration on on the SSO server side and it'll also do the configuration on the internals of the app server the EAP instance Where the application itself is deployed? So we take Some reasonable defaults when you go and deploy an application you tell us that it's either an OIDC or a SAML application The image will take some reasonable defaults and a lot of it is configurable via those ENVs However, if you want to go and bypass all of the configuration that the image is going to go and create specifying All sorts of kind of all the different options the key cloak allows you to go and configure You can actually go and just as part of your application give us an XML snippet and we'll take that instead of using All the default settings, so that's kind of a cool feature as well Lots of templates hopefully everybody's familiar with OpenShift templates In a nutshell what they do is they give you the capability to go in and spin up one or more Different pods or pieces of your application and auto configure them or hook them all together So we've got a couple of different templates out there There's a whole bunch of them for the SSO server itself where you can go and say hey I want an SSO server and I want it to be backed by XYZ database where in this you know, we could either use the embedded EAP H2 database you could hook it up to an external Postgres It's running in some other containers or other pods get over my sequel You can decide whether you want the database to be persistent or non-persistent OpenShift has got a capability where you can back the database with a say an NFS mount So you've got templates for all that stuff really easy to go spin all this up up and that's just a demo show similar this does now templates for EAP 6 and EAP 7 That have all the SSO capabilities in them stuff like that that SSO URL so that you can tell the application where the SSO server is This does require a little bit of manual configuration You've got to go and spin up manually go and configure a little bit of the SSO server Go create users and roles and realms and this is the normal way that people are going to do things right? They're going to go spin up an SSO server and then they'll go deploy applications out to multiple different pods or containers Where their applications are deployed so there's a little initial kind of setup to go and set up You know the users and roles in a particular realm or wealth However, we've also got to kind of get started really quickly We've got some templates that do really for demo purposes But it's a good way to get started that you can go and by executing one of these templates You can spin up the whole thing and it'll all water wire. There's no manual configuration at all So this is a good way to go get started where you can go Fire this one template off and it'll spin up the server the EAP it'll deploy your applications can figure both sides You'd be good to go and at the very end of the demo. Hopefully we've got time and everything goes smoothly I think I'll show that piece as well And just lastly there's a couple of different points. I just want to make Lot of all the a lot of good stuff up a key quote org We're just good talking right now about JEE applications deployed to EAP, but Up on the community side. There's all sorts of other adapters for other frameworks or platforms that key coke support And the images that we're talking about as I already mentioned We've got the tech preview out for EAP 6 and they the SSO server Those images are up there and available and when when the GA comes out the GA images will be available Okay, I don't see any questions I will hop over to the demo Okay, everybody Just real quick we're letting people know that we have some of the core key cloak engineers on this blue jeans session So that's where we now have any type of let's say more deeper technical question. Please feel free to ask them as well. Thank you Cool. Thanks, Arjun Ethan. Thanks. Thanks everybody for joining Can you guys Diane you can see my screen still okay can see the VM it looks perfect Okay, so I've got an open-shift instance just running locally. It's Master in a node. So I've got everything just running inside of One single VM and as you can see I've got a demo project set up and I've got absolutely nothing running Inside of my project to start So the first thing I'm going to do is I'm going to go spin up The the SSO server itself So this is essentially that first bullet when I was going through the templates. I go to my little cheat sheet Actually, let me go back Here's my little cheat sheet. So I'm gonna go And I'm going to go and execute this particular template, right? So this is the SSO template I'm spinning up the SSO 7 server and it's going to be backed by postgres So now we'll see that the postgres is going to spin up and then the SSO server itself is going to spin up Now you'll notice here that I I didn't I didn't pass in any environmental variables, right? Because we try to get these templates all to work Out of the box with default So in this case, it's going to go spin up these particular applications postgres is up postgres is ready The SSO server is coming up. It will take a second It's got to go and once it connects to postgres It's got to go populate the database, but this is spinning up another pod or another container inside of OpenShift For the key code server the SSO server itself While this is coming up this should take only a second while this is coming up. I'll hop over to This is the this is the application I'm going to go deploy so if you go take a look up in github this is up at github key code key code examples There are four different out. There's a bunch of different applications in here but I'm going to focus on the EAP based applications or the JEE based application app JEE app profile JEE SAML, which is a SAML the other OIDC app profile JEE and service jacks RS, which is just a web service We've got three kind of web front-end applications and a web service application on the back end Okay, so this SSO is up We go take a look at the route. So how are these guys exposed? It's going to go set up two different routes one for HDPS and one for HDP So if we go then log into this particular application So this is the SSO server itself, right? So as I said that the initial image is going to have an initial admin user That's just admin admin if I wanted to go and create another admin is a you know If you had passed in an ENB here to go and specify whatever your Admin user and credentials would be that's how you do it So let me go log in Okay, so this is the the key code console the first thing I'm going to do for my demo is I'm going to go create another realm Create a demo realm and There's a key pair and a certificate associated with every realm So I'm going to copy this realm certificate into my cheat sheet And I'll explain this a little bit more detail when I when I get over to deploying my application, but Bear with me for a second. I just want to preserve that public key for when I deploy my apps The next thing I'm going to do is I'm going to go create some roles So the roles that I'm going to create if I hop back over to The application source if I just pick one of these I'll pick the web services one if I go inside of the web services application source and I take a look at the metadata that's associated with the web app You'll notice a couple of things you'll notice that there's a couple of the web services There's really three web services that it exposes as a public one is unsecure There's no security constraints, and then there's two secure web services one secured and one's admin and the particular roles that you need to access these resources are the user role in the admin You'll also notice while we're here that inside of the login config. We've got a key quote tag You know, this this would normally be something like basic or form But in this case, this is the flag that's going to indicate that we deploy this application It's going to tell the image. Hey, I'm a you know a key cloak or an SSO enabled application I need to be auto-wired right go do all that magic configuration so that I'm secured to the SSO So the first thing I need to do is go and create these particular roles right for my application So I'm just going to go create those roles. I'm going to create a user role create Admin role Okay, and then I'm going to go create some some users Just for the demo purposes, I'm going to do all the kind of the user management through through SSO or key cloak itself So I'm going to go create the first thing I'm going to do is I'm going to go create a service user And this isn't an end user This is really just a user that's got the right to go and do some Management inside of the realm So that it's this is only going to be used to have one of the The the pod that is running the application be able to talk to the key cloak server directly and change the config And that's how all the kind of auto magic wiring happens So let me save the service user I'm going to go give it some real credentials. I'm just going to put in password for the password Save this guy and I'm going to give this guy some realm management capabilities again This this isn't something you'd necessarily give to the end user But this is just for kind of internal pod to pod communication from that, you know application configuration over the configuration Okay, and then now I've got to go create an end user user. So I'm going to call this guy demo user And I'll give him Little info in this guy Give him some real potential At the password and now I'm going to give this end user the end user privileges So we can actually has the right to access the different resources within the sample application So this is all I've got to do to go and set up the demo manually on the SSO server side So the next the next step is okay great. We've got a rest of those server Set up and running already for some applications those four applications that I talked about Let's go deploy those applications Okay, so here's the next command that I'm going to go with you I'm going to go kick this off because this will take a minute because it's got to go do Pull the source down from get and do a build and then do a deploy So let me just go get this guy started and then I'll come back and explain what the command actually is Okay, so we'll see right here a build popped up, right? So this image is now downloading all the source from from github appear going to do the build spin up another pod That's got EAP running in it deploy those applications and do all the the automatic config One thing I do want to show while that's going on is right now. There's no clients right these clients You know correspond to The end user applications or they will so there's nothing set up here There will be once the the applications are all deployed and get up are up and running So let me come back and And explain what's going on in that command that I just issued So the first thing is I'm using the SSO enabled the EAP 7 template right and f2i means that hey This is this is actually going to pull some source down and do a build and then go and build another image with Built source on it and go deploy that for that combo image. I'm giving the application a name itself in this case I'm just calling it hello world. I Also, and this is maybe the most important part. I also passed in I said hey Where is the SSO or key poke server, right? So it's over at secure SSO demo cloud apps example calm which is exactly what I'm looking at here Right, so I'm just pointing the app server where the applications are to the SSO server. So it knows how to talk to it SSO realm is demo. That's the one I manually created public key. We had talked about it's not required But recommended to actually pass that in and then here's the SSO username and password that I also went and created This is the service user not the end user, right? So this is the user that has the realm management capabilities, which is going to allow this this user Make a call over from the the application pod to go and modify the client create the corresponding client So you don't have to go do all that manually And I've also modified the the branch that I'm pulling in up from github in this case That the templates right now are tied to for the tech preview, but I'm using the latest and greatest stuff So you can go and modify. Hey, where do I want my source what branch up and github all that kind of good stuff Okay, so let's come back and see where we are Okay, so everything's kind of been up and running The build happened Hello world. So this is my EAP instance. It is now up and running right so if we go take a look at You know, I can't get through a demo without showing logs, right? So let's just go take a look at The logs of the application server where I went and deployed my for a little application Okay, and you'll see here in the logs that hey here here are the four war files that were deployed that I pulled out from github and built right So and as also as part of this deployment when these were deployed it also modified the the app service configuration to have all of the key Whether it's OIDC or SAML. So all that's automatically configured on this side and also if I come over come back over to The key clover SSO server side, you'll now see there's four new clients So there's new client config for the four different applications that I've got here So there's really kind of minimal Manual configuration you've got to do and I think this is one of the kind of the powerful pieces about what open shift and the images are Going to provide is it's it's really all you've got to do is is be able to specify this when you deploy a particular application Right, you say your application is a key cloak or a key cloak SAML application Spin up your template pass it in a little bit of details about your environment And and you're good to go and then all the configuration happens yourself So you're not messing with X amount. You don't have to go in and manually create all this stuff Okay, so what is this actually ultimately look like at the end? Let's go take a look at the actual application If I come over here and take a look at the routes again I've now got an HTTP and an HTTPS route for accessing the actual app So if I go take a look at here If I come over and I go to secure hello, that's just as good a one as any So I go hit this particular application, right? So I go hit my little app And actually let me let me hop over to a little more interesting one So this is an application that is actually going to hit the web services application on the back end Right. So if you remember, I've got three different front-end web apps and then one back-end app that just exposes some web services This particular front-end application is going and hitting those three different web services that you can see and that are configured here in the store So there's a public one that's not secured a Secured one that I need the user role for and an admin one that I need to add So I can go and hit the public one great, right? I haven't done any log in. It's it's a that web services is exposed No problem. I go hit the secured one This is actually secured. I don't have the role because I haven't logged into the SFO server So it fails now if I go hit the login button, you'll notice that it redirects me over to I'm no longer at My application. I am now actually talking to the SFO server. So now I'm going to log in as the end user, which is demo user demo pass login and it takes me back to the app now, you'll notice a couple of things One I've got a log out button now because I've got the proper credentials To get to the app. I can also go and take a look at the account this account button showed up I go hit account It takes me actually back to the SFO and and goes and takes me into that particular user So who am I logged in as you can go and view the user over in the SFO server and then hop you back to the application And now I should have accessed everything. I can still have public I now have the user role because I'm logging a demo user who has that user role and ditto for admin So I can now hitting those web services that are secured. So hit log out and I'm back to where I started Um, similarly the same kind of capabilities exists whether it's for for app This is an OIDC app, but I could just as easily go out profile the SAML Do the same kind of thing log in as demo user And there's the application Right, I could do similar things if I hop over and I want to get maybe not the SAML application, but the OIDC application I'm already logged in right since I logged into the SAML application Those credentials are still valid. I'm still the same user with the right roles and now I can go and take a look at this particular application So that's Really kind of in a nutshell what I what I wanted to demo I'll take a look and see if there's any there's any kind of questions What I want to do if there aren't any other kind of questions here What I can do is I'm going to go delete all this stuff and I just want to go show you the the all in one Template because I think it's a great way to get started. So let me go delete all this stuff that I just created That'll have the beauty of paths, right easy up easy down Okay, so I come back to pause. Let me just wait until everything's gone. This will take a second So what I'm going to what I'm going to do now is I'm going to go run this guy Soon as everything's deleted. So what this is Is I think it actually happened I'll come back. Yep, everything's gone. So let me spin up this all in one So what this is is I'm I'm now firing up a different template and this template is Is just as the name says it's an all in one, right? I don't have to do it any of the kind of complicated stuff that's a reasonably complicated stuff that's up here What it's going to do is it's going to spin up the sso7 server in one pod or container It's going to go and spin up a separate pod or container that's got an eap instance in it Go pull down do the build deploy all my applications And do this all in one Just in one simple command, right? So it's going to do all of this stuff in one step So, you know in the real world, this is the way people are going to do things, right? You'll go spin up Your your sso server and then as application teams come on board. They'll go spin up different eap instances That'll have their applications deployed And tie it all in to that to that sso server or maybe different sso servers running inside of the same path But this is a really kind of good way to get started because in one command you can spin up the whole thing itself There's no manual configuration at all. So this will take a minute But if you'll see it it's really going through all the steps in a minute. We'll I'll be right back to where I was A minute or so ago There is one question in there Mark is Mentioning and I think one of the the core key code guys is is trying to answer it You mentioned that the users are are in key code for the demo but what does a production deployment look like and where are the users typically stored and I think that is bolslaw who's trying to answer that so I'm gonna see if I can unmute him And he's unmute bolslaw if you'd like to answer that Yeah, you can well, I think bill it was mentioning it at the beginning that you can use on a relation Database so bill can I guess explain what's supported in the templates, but like postgres or my sql And then you can obviously connect all the up servers Or configure it with Kerberos for authentication Yeah, so an open shift so in open shift now the the templates and the image Support Spinning up just like we did spinning up either backed by postgres my sql or the internal ea ph2 database But there's nothing to prevent you and the nice thing about using those is is that it does all the auto wiring One of the things you you you didn't see is at no point Even though the sso server is being backed by Postgres instances running at no point Did you ever see me go in and do any configuration to configure the sso server to tell it where postgres was right? So this is one of the the kind of real cool things about open shifts and paths is that this auto wiring all happens This auto config so all that magic happens for those three databases Postgres my sql or the h2 database But there's nothing to prevent you from going and spinning up this server and then manually going in and pointing the persistence back at You know like you know an LDAP server as was just mentioned or a different database Potentially a database that's external to the paths, right? Maybe you've got You know some huge oracle rack infrastructure that's running outside of the paths that you want to hook your sso server into You don't maybe want the database running inside of the paths. You've already got all that identity management You know user user management um running somewhere and you just want to hook your sso server into it so you can certainly do that but the The at least today the the auto wiring and auto magic is hooked up through the templates and stuff through For those three databases I mentioned So those are the questions everything right now is in um technical preview and so I I'm sure Osla and bill Burke and the key folks folks as well as the folks that have built these images and templates for open shift they're definitely looking for Feedback and your thoughts on them and other adapters that could be written for key quotes Where's the best way um For people to reach out to you guys and give you feedback on this Um, I I can certainly so we've got um a couple of folks from from my team. I believe my Managers on kevin connor. Um, there's a a lot of different resources you can do to get to um to get to the The engineering teams who are building these images and we've also got um And thanks guys got a lot of the folks from the actual the key quotes um team on as well so We've got kind of both teams so the team that takes um, you know the the these these middleware products and Open shifts them or docker izes them or however you want to call it But we've also got the core key quote team as well. That's certainly available for feedback And and the the one last question that i'm seeing here You could you can send an email to be berk And i'll post that with the Register on the mailing list. There's one question here that's the typical one that everyone always asks is when even a ballpark day Could we expect um red hat sso to ga and be available? I don't know if anyone has has an answer for that obviously publicly we cannot really climb on a ga diet although we were quite open in the community so uh On the mailing list it was announced that one dot nine dot X branch Is being polished and will be a base for a supported product offering I think the good answer is right now. It's sooner sooner than later. We will have a supported product That's that's my favorite favorite answer for that question. It comes out with everything The the intention is Is to announce it on our summit. Um, so that's uh, that's that's where we are at so far as well Yeah And I and I love that part too because almost everything is is driven by the summit That's a great motivator to get things down and out there There's one more question here. Um, can you talk about authentically against our I will move samo or oidc server Seen lots of requests to do something similar. Nothing to move. All right. I see remote And Bill I mean bill because they can actually open the the the admin UI and so just show the screens for identity brokering. So I think Yeah Oh, whoops. Sorry, I I'm spinning up. I gotta I switched. I killed this one. So I gotta go back one second Is the all in one now? There's no project and Yeah, so here if you add We add provider Yeah, you can add either a sound tool base or open ed connect base or any social kind of provider and then you can authenticate against those Or if you click at user federation And then add provider here you can add Either alda per carbo and you can do quite powerful configuration syncing options and mapping What it's mapped into q-clock what is mapped into the token? and so on So there is a lot of flexibility well well, then I think that might be um All the questions we have right now. So that's um a much faster demo than our previous one So thank you very much bill the cost um for taking the time to swap laptops And for geogenes for giving us this intro Pieces there we will of course do any q&a that you need on the mailing list Or you can register for the key cloak mailing list as well And so I encourage you to do that and you'll be Definitely seeing more of this. I'm sure at red hat summit So thank you to all the core key cloak folks that have come on for this And um, we're hoping that we can keep demoing this and maybe show it with a few more adapters in the not too distant future And there's one other announcement Will be starting up an an open shift commons sig for image builders starting may 4th and there's new On the interest on the open shift commons page There is a list of special interest groups And the new one this week is image builders and if you're interested in creating Images that are redistributable and ready to run an open shift. I encourage you to sign up for that so Thanks again to everybody for joining us and we'll be posting this recording Probably tomorrow As a blog post with some of these links that we've had here today. So thanks again, and we'll talk to you all again very very soon