Integrate OpenShift with Red Hat’s single sign-on technology
Every OIDC-secured application in Red Hat OpenShift API Management needs a corresponding SSO client in the Red Hat SSO realm. The details of the API-managed application should match the details of the corresponding SSO client.
Subsequently, it is important to automate the synchronization between OpenShift API Management and Red Hat’s SSO. The Zync component in OpenShift API Management is responsible for this synchronization. Its purpose is to synchronize API managed applications to external systems such as Red Hat’s SSO. It does so in an automated manner by pushing updates to external systems every time a state change occurs within an API managed application.
In this section, you will create an SSO client in the realm of your SSO server. Zync will use the new SSO client to synchronize between OIDC-secured applications and their corresponding SSO clients in Red Hat’s SSO.
Name this new SSO client zync-sso. The zync-sso client will be configured to utilize the OIDC client credentials flow. Via the zync-sso client, the Zync component will retrieve an access token that then allows for the creation and update of new SSO clients through Red Hat’s SSO API.
Note: Within OIDC and OAuth, the client credentials flow is used between servers. In our scenario, the client application (in our case the 3scale Zync component) is a confidential client that’s acting on its own, not on behalf of the user. Our scenario is like a service account. It’s a back-channel flow that obtains an access token using the client’s credentials. A good explanation of the different OIDC flows can be found in this blog post.
Create the zync_sso client as follows:
- In the SSO console, make sure you are on the page of the realm you created in the previous part of this learning resource.
- Click Clients to open the realm’s clients overview page,
- Click Create to create a new realm client.
- In the Add Client page, enter the following values (Figure 15):
- Client ID: zync-sso
- Client Protocol: openid-connect
- Root URL: Leave blank.
- Click Save to create the realm client.
- You will be redirected to the client Settings page (Figure 16).
- Make the following changes to the client settings (Figure 17):
- Set Access Type to confidential.
- Set Standard Flow Enabled to OFF.
- Set Direct Access Grants Enabled to OFF.
- Set Service Accounts Enabled to ON.
- Scroll down and click Save to save the client configuration.
- Navigate to the Service Account Roles tab of the client settings (Figure 18).
- In the Client Roles dropdown, type realm-management.
- Choose the manage-clients role from the list and click Add selected>> to list this role under the Assigned Roles (Figure 19).
- Navigate to the Credentials tab of the client settings.
- Copy the Client ID—which is zync-sso unless you changed the value—and the Secret (Figure 20) and copy them to a secure location.