Chapter 2. 3scale integration with Red Hat Single Sign-On using OpenID Connect
3scale can synchronize client credentials between 3scale (Application credentials) and a Red Hat Single Sign-On server using OpenID Connect (OIDC). 3scale utilizes a service called Zync to synchronize calls to the Red Hat Single Sign-On server.
2.1. Prerequisites:
- 3scale 2.1
- A Red Hat Single Sign-On version as specified on the Supported Configurations page
- SSL connection between Zync and RHSSO.
In order to connect 3scale and Red Hat Single Sign-On, perform the following configurations in Zync, your Red Hat Single Sign-On server and 3scale:
2.2. Configure Zync
In 3scale API Management Platform 2.1, self-signed and custom certificates are not supported and will be rejected by Zync. To establish an SSL connection between Zync and RHSSO, configure Zync to support custom certificates with the following workaround:
Validate the new certificate with the following cURL command. The expected response is a JSON configuration of the realm. If validation fails it is an indicator that your certificate may not be correct.
curl -v https://<secure-sso-host>/auth/realms/master --cacert customCA.pem
Add the certificate bundle to the Zync pod:
Gather the existing content of the
/etc/pki/tls/cert.pem
file on the Zync pod. Run:oc exec <zync-pod-id> cat /etc/pki/tls/cert.pem | tee -a cacert.pem cert.pem
Append the contents of the custom CA certificate file to both
cacert.pem
andcert.pem
:cat customCA.pem | tee -a cacert.pem cert.pem
Log in to the 3scale AMP project in OpenShift and run the following commands. This updates the CA certificate used by the libraries that Zync depends on.
oc create configmap cacertpem --from-file=./cacert.pem
oc create configmap certpem --from-file=./cert.pem
oc set volume dc/zync --add --name=cacertpem --mount-path /opt/zync/vendor/bundle/ruby/2.3.0/gems/httpclient-2.8.3/lib/httpclient/cacert.pem --source='{"configMap":{"name":"cacertpem","items":[{"key":"cacert.pem","path":"cacert.pem"}]}}'
oc set volume dc/zync --add --name=certpem --mount-path /etc/pki/tls/cert.pem --source='{"configMap":{"name":"certpem","items":[{"key":"cert.pem","path":"cert.pem"}]}}'
oc patch dc/zync --type=json -p '[{"op": "add", "path": "/spec/template/spec/containers/0/volumeMounts/0/subPath", "value":"cacert.pem"},{"op": "add", "path": "/spec/template/spec/containers/0/volumeMounts/1/subPath", "value":"cert.pem"}]'
2.3. Configure Red Hat Single Sign-On
- Create a realm
Create a client:
- Specify a client ID
-
Select the
openid-connect
client protocol
Configure client permissions, setting the following:
-
Access Type
to confidential -
Standard Flow Enabled
to OFF -
Direct Access Grants Enabled
to OFF -
Service Accounts Enabled
to ON
-
Set service account roles for your client
- Navigate to the service account roles tab of your client
-
In the client roles dropdown, select
realm management
-
In the available roles pane, select the
manage-clients
list item and assign the role by clickingAdd Roles
Note client credentials
- Take note of the client ID
-
Navigate to the
Credentials
tab of your client and take note of the secret
2.4. Configure 3scale
Once you have created and configured a server and client in Red Hat Single Sign-On, you must configure 3scale to work with Red Hat Single Sign-On:
Enable OIDC
-
Select the service on which you want to enable Red Hat Single Sign-On, navigate to the APIs
<your_service_name> integration page - On that page, select edit integration settings
-
Under the
Authentication
deployment options, selectOpenID Connect
- Update the service
-
Select the service on which you want to enable Red Hat Single Sign-On, navigate to the APIs
Edit Your APIcast Configuration
-
navigate to the APIs
<your_service_name> integration page - On that page, select edit APIcast configuration
Under the Authentication Settings expandable heading, in the OpenID Connect Issuer field, enter your previously noted client credentials with the URL of your Red Hat Single Sign-On server:
https://<CLIENT_ID>:<CLIENT_SECRET>@<HOST>:<PORT>/auth/realms/<REALM_NAME>
- Save your configuration
-
navigate to the APIs
2.5. Test Integration
Peform the following procedures in 3scale and verify the results in Red Hat Single Sign-On to test your integration:
3scale Procedure | Red Hat Single Sign-On Result |
---|---|
Create an application for the service where you configured the OpenID Connect Issuer. Note the Client ID and client secret generated for the application | The new client appears in the Red Hat Single Sign-On realm you are using |
Change the Redirect URL on the application in 3Scale | The Redirect URL was updated |
Delete the application | The client is deleted from the realm |