Prepare your Identity Provider (IdP)¶
For Elastisys Managed Services Customers
Please follow these steps to configure your IdP so that we can connect a new Welkin environment to it.
To share credentials with Elastisys, please use our YoPass service.
If you get stuck, get in touch with your contact person at Elastisys.
To help you comply with various data protection regulations, Welkin only allows access to service endpoints (i.e., Kubernetes API, Harbor, Grafana and OpenSearch) via an IdP. Your organization's IdP acts as the single point to decide who gets access to what.
This page describes how to configure Google Identity and Microsoft Entra ID so that Platform Administrators can connect a Welkin environment to them. Note, however, that Welkin supports any OpenID-compatible IdP, including GitHub and GitLab.
This page show what information you need to send to Platform Administrators and where to find it.
Microsoft Entra ID¶
Note
Azure Active Directory is now Microsoft Entra ID.
- Sign in to the Azure portal.
- Search for and select Microsoft Entra ID.
- Under Manage, select App registrations > New registration.
- Under Supported account types pick Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant).
- Under Redirect URI select web and insert the Dex URL that Platform Administrators provided. This is generally
https://dex.$DOMAIN/callback
. If unsure, ask your Platform Administrators. - Go to Overview and note down the application ID.
- Create a secret by going to Certificates & secrets.
- Select the tab Client secret and click New client secret.
- Set expiry date to 24 months.
- For improved security, navigate to Overview and note down the tenant ID. This limits who can authenticate to your Welkin environment.
- Decide the name of the Microsoft Entra ID group that should have admin privileges in the environment.
-
Securely send, e.g., via YoPass, the following information to your Platform Administrators:
- tenant ID;
- application ID;
- client secret;
- admin group.
Further Reading¶
- Quickstart: Register an application with the Microsoft identity platform
- Dex: Authentication through Microsoft
Google¶
Important
Some steps can only be done by an administrator account for a managed Google service,such as Google Workspace or Cloud Identity. (See this Google support page.)
- Go to Google Cloud -- Credentials.
- Create a new project through the top menu.
- In the new project, go to OAuth consent screen on the left side menu and create an internal consent screen.
- Go to Enabled APIs & services on the left side menu and then click + ENABLE APIS AND SERVICES.
- Search for Admin SDK API and enable the API.
- Go back to Credentials on the left side menu.
- Click + CREATE CREDENTIALS and select OAuth client ID.
- Select Web Application for Application type, give it a suitable name.
- Set the Authorized redirect URIs to the Dex URL provided by your Administrators.
This is generally
https://dex.$DOMAIN/callback
. If unsure, ask your Platform Administrators. -
Finally, securely send, e.g., via YoPass, the following information to your Platform Administrators:
- client ID;
- client secret.
To set up groups follow these steps, note that steps 16-18 below can only be done by an administrator.
- Go to Google Cloud -- Service accounts.
- Make sure that you are in the same project that you created previously (see top menu).
- Click on + CREATE SERVICE ACCOUNT and give it a suitable name.
- Note down the Unique ID of the service account as you will need it soon.
- Go to the newly created service account and then under the KEYS tab click ADD KEY and create a new key of type JSON. Save the JSON file for the end.
- You need to give the service account read access to groups. Go to the Google admin console.
- Navigate through the menu to Security > Access and data control > API Controls and click Manage Domain Wide Delegation and then Add New.
- In the Client ID field put the Unique ID of the service account from step 4. and in the Oauth Scopes field enter this scope:
https://www.googleapis.com/auth/admin.directory.group.readonly
. - Decide on the name of the Google group that should have admin privileges in the Welkin environment.
- Decide on a Google user email for the service account to impersonate when making calls to the admin API. The user would need at least the permission to retrieve a list of groups through the API.
-
Finally, securely send, e.g., via YoPass, the following information to your Platform Administrators:
- the JSON file you downloaded;
- the admin group you decided on;
- the Google email you decided on.
Further Reading¶
OpenID Providers¶
Welkin should be compatible with any OpenID provider, although full compatibility cannot be guaranteed.
The general instructions are as follows:
- Check that your IdP is OpenID compatible. You can check this by pointing your browser to:
https://$YOUR_IDP_DOMAIN/.well-known/openid-configuration
. If you get a well-formed JSON page, then your provider is OpenID compatible. - Register an application with your OpenID provider. The callback or redirect URL is provided by your Administrators.
This is generally
https://dex.$DOMAIN/callback
. - Allow at least the following scopes:
openid
,email
,groups
,profile
. - Securely send, e.g., via YoPass, the following information to your Platform Administrators:
- the IdP domain, i.e.,
$YOUR_IDP_DOMAIN
which you used in step 1; - client ID;
- client secret.