Skip to content
Sosivio

Single Sign On and Role Based Access Control

Single Sign On (SSO) integration is supported in Sosivio to facilitate users having granular restrictions to their relevant resources. SSO is used to authenticate users logging into Sosivio. Sosivio will allow any organization's users with access to a SSO to login to Sosivio. Sosivio will then fetch the user's Role Base Access Control (RBAC) credentials from the cluster, which will be used to control what is viewed and what actions can be performed in the Sosivio dashboard. There are various SSO integrations currently supported by Sosivio:

  • OpenShift
  • Temolo Security
  • Manual configuration

SSO and RBAC Prerequisites

A Sosivio user must have their cluster administrator configure the following in their RBAC. Sosivio will not overwrite the users RBAC and the user will not be able to view or apply recommendations if the following are not done.

  • In order to view an object in Sosivio, the user must have all of these in their RBAC: get,list,watch
  • In order to apply a recommendation in Sosivio:
  • A user must have all of these in their RBAC: create, update, patch
  • The cluster admin needs to follow these steps:
    • Go to the Users page in the Sosivio dashboard.
    • Locate the specific user and click on Edit Settings.
    • Under User Type, add the user to the Admins group.
    • By adding the user to the Admins group, they will have the required permissions to apply recommendations to their resources as defined in their RBAC (Role-Based Access Control) configuration.
  • The user's RBAC would need all of the following permissions: namespace, deployment, statefulset, daemonset

SSO Configuration

  1. Navigate to the OAuth Center by clicking on the configuration icon on the bottom navigation bar and selecting OAuth Center.
  2. Select Add OAuth


OAuth Center

Openshift

  1. Select set up Openshift automatically
  2. Select Save

Tremolo Security

  1. Create an Openunison trust object, you can reference the Openunison documentation
    • Take note of the Client ID and the Client Secret
    • In the redirectURIs add http[s]://<SOSIVIO_URL>/oauth_callback to the array
  2. In the Sosivio Dashboard, select Tremolo Security
  3. Enter the Well-known URL of your Tremolo deployment, it'll probably look familliar to https://<YOUR_DOMAIN>/auth/idp/k8sIdp/.well-known/openid-configuration
  4. Enter in the Client ID you took note of earlier when creating the Openunison trust object
  5. Enter in the Client Secret you took note of earlier when creating the Openunison trust object
  6. Select Save

Manual

  1. In your SSO Provider, when creating the SSO App, add a new redirect URI: http[s]://<YOUR_SOSIVIO_DEPLOYMENT>/oauth_callback
  2. In the Sosivio Dashboard, select Manual
  3. Enter the Client ID provided by your OAuth Provider
  4. Enter the Client Secret provided by your OAuth Provider
  5. Optionally, select the appropriate User RBAC Claim
  6. Enter in the Well-known URL of your OAuth Provider, it'll probably end with /.well-known/openid-configuration
  7. Optionally, enter in the Button Icon URL to be displayed when logging into Sosivio.
  8. Optionally, enter in the Button Text to be displayed next to the Button Icon when logging into Sosivio.
  9. Select Save

First Login

Users who login for the first time with a SSO provider will be presented with a screen asking them to register a new Sosivio account. This links the users RBAC credentials from the SSO provider to Sosivio, ensuring the user has access to the resources as defined in their RBAC.

Troubleshooting

If you recieve an error please contact [email protected] for further assistance.