Demystify LDAP and OIDC Providing Security to Your App on Kubernetes

Confidential │ ©2021VMware,Inc.
Demystify
LDAP and OIDC
Providing Security
to your App on Kubernetes
Dodd Pfeffer (he/him)
Advisory Solutions Engineer / Tanzu
September 2021

Agenda
2
Set the stage
Put the pieces together
Show the results

Confidential │ ©2021VMware,Inc. 3
This presentation may contain product features or functionality that are currently under development.
This overview of new technology represents no commitmentfrom VMware to deliver these features in
any generally available product.
Features are subject to change, and must not be included in contracts, purchase orders, or sales
agreements of any kind.
Technical feasibility and market demand will affect final delivery.
Pricing and packaging for any new features/functionality/technology discussed or presented, have not
been determined.
The information in this presentation is for informationalpurposes only and may not be incorporated into any contract. There is no commitment or
obligation to deliver any items presented herein.
Disclaimer

• I’ve seen all too many times there are specialists that understand their piece
• Directory Admins
• Infra Teams
• DevOps Platform Teams
• Developers
• Often off-line emails or tickets are used to coordinate activities among these teams without full
context or knowledge of other areas
• By increasing your general understanding, you can collaborate with groups or even self-help, allowing
you to move faster. Or resolve issues quicker when you in-enevitably face them
Why does this matter?

Our Application

Your App

Logical Solution - OIDC
IDP RP

Sample Implementation
Google Simple
App

My Enterprise doesn’t look like sample app
Google Simple
App
Active Directory

How about the façade / gateway patterns?
Active Directory Dex
Spring Cloud
Gateway

Now you have the high-level, but how do you execute
Integrate Dex with
Active Directory
Integrate Spring
Cloud Gateway with
Dex
Configure SCG routes
for SSO

12
LDAP Connector
Integrate AD with Dex via LDAP Connector

Microsoft’sdirectory service
Pervasive within enterprise environments
Organizes everyday items
• Devices
• Users
• Volumes
• Printers
• Groups
Lightweight Directory Access Protocol
Open, vendor-neutral,industry standard
Access and maintaindirectory service data
Active Directory LDAP
Active Directory and LDAP

• URL for Directory Server
• Service account for your application
• It is key to use a service account as you
may likelylock out this account during
developmentand if you are using your
own account or a shared services
account this will impact other users of
that account
Your System Admin will Likely Provide you “some” information

Here is what your Admin Uses

Application Configuration

• What is the organizationhierarchy?
• Are all the intended users in one OU or are they spread out?
• Sometimes organizationsput users all in the same OU
• Other times they are separatedby geography, or originalcompany, or business unit
• Are ”elevated privilege” accountsin different OUs than standardaccounts
• How about groups?
• What OU are groups in? Are they in several OUs?
• Is there a single group that represents your “admin” team for this integration?
• Do you have access to create new groups specific to the app as opposed to existing groups?
Get Familiar with the Active Directory Structure

What configuration values do we need to find
Config Item Value / Description
URI ldap://162.168.7.116:389
Bind Dn servicebind@winterfell.local
Bind Password SuperSecretPassword1!
Domain winterfell.local
User Search Base DN Where in directory to start searching for users
User Search Filter How to know if an entry is an user
User Name Attribute Which attributeof user represents the “username”
Group Search Base DN Where in directory to start searching for groups
Group Search Filter How to know if an entry is a group
Group Search Group Attribute Which attributein group entry references group members
Group Search Name Attribute Which attributeof user represents the “group name”

• Use data provided by admin, to
construct a query and limit the results
• Then find someone you are familiar
with, yourself
• Now capture key information:base dn,
search filter, username field
• Check out group information
• Now capture key information:base dn,
search filter, name attribute,member
attribute
LDAPSearch To the Rescue
usage: ldapsearch [options] [filter
[attributes...]]
where:
filter RFC 4515 compliant LDAP search filter
attributes whitespace-separated list of
attribute descriptions
which may include:
* all user attributes
Search options:
-b basedn base dn for search
Common options:
-D binddn bind DN
-H URI LDAP Uniform Resource Identifier(s)
-W prompt for bind password
-w passwd bind password (for simple
authentication)
-z limit size limit (in entries, or "none" or
"max") for search

• DC = DomainComponent
• OU = OrganizationalUnit
• DN = DistinguishedName
• Entry has Attributes
• DN is the Unique Identifier for
the entry
• CN = CommonName
Definitions
# Naomi Smith, Users, acmeco, winterfell.local
dn: CN=Naomi Smith,OU=Users,OU=acmeco,DC=winterfell,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Naomi Smith
sn: Smith
givenName: Naomi
distinguishedName: CN=Naomi Smith,OU=Users,OU=acmeco,DC=winterfell,DC=local
instanceType: 4
whenCreated: 20210812183850.0Z
whenChanged: 20210812183850.0Z
displayName: Naomi Smith
uSNCreated: 12924
memberOf: CN=acme-fitness-devs,OU=Groups,OU=acmeco,DC=winterfell,DC=local
uSNChanged: 12929
name: Naomi Smith
objectGUID:: pKYfEdZsp0m5UX0wIoELAQ==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 132732671304104091
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAgTblzsM9OxpusH/tUQQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: naomi
sAMAccountType: 805306368
userPrincipalName: naomi@winterfell.local
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=winterfell,DC=local
dSCorePropagationData: 20210812183850.0Z
dSCorePropagationData: 16010101000000.0Z
mail: naomi@winterfell.local

Demo: LDAPSearch
Place
screenshot
here
21

What configuration values do we need to find
Config Item Value / Description
URI ldap://162.168.7.116:389
Bind Dn servicebind@winterfell.local
Bind Password SuperSecretPassword1!
Domain winterfell.local
User Search Base DN OU=Users,OU=acmeco,DC=winterfell,DC=local
User Search Filter object=user
User Name Attribute sAMAccountName
Group Search Base DN OU=Groups,OU=acmeco,DC=winterfell,DC=local
Group Search Filter object=group
Group Search Group Attribute sAMAccountName
Group Search Name Attribute member

Demo: Dex Configuration
Place
screenshot
here
23
• TKG deploys Dex under the covers
• I’ve already deployed a Kubernetes cluster using TKG
• Let’s test login and see what Dex sees

• Spring LDAP Getting Started Guide
• Grab your ldapsearch output, and update the sample ldif file
• Now you can mock your active directory!
Mocking Active Directory
Quick Aside

25
OIDC Client Registration
Integrate Spring Cloud Gateway and Dex
Dex
Spring Cloud
Gateway

Framework for AuthN/AuthZ protocols
Provides variety of standardized messaging flows
based upon JSON and HTTP
JWT (JSON Web Tokens) support claimsbetween
two parties
Uses OAuth 2.0 to provide identity services
• IDP: Identity Provider offers AuthN as a service
• RP: Relying Party outsources user auth to IDP
Google, Microsoft, Ping Identity, Okta and others
provide OIDC services
JWT token assert identityand claims “group”
membership
OAuth OIDC
OIDC: OpenID Connect
Source: https://openid.net/connect/faq/

Standard Discovery URI
How do clients Know How to interact with IDP (Dex)
https://dex.castleblack.tkg-vsphere-
lab.winterfell.life/.well-known/openid-configuration

What are are common OIDC configuration parameters

1. Register Spring Cloud Gateway as a
client within dex config
2. Create a secret containing the client
credentials, issuer-uri, and requested
scopes
3. Configure gatewayfor sso by
identifying the secret that contains
configuration values
4. Identify which attribute in the token
SCG should consider for roles
GatewaySetup
Spring Cloud Gateway
apiVersion: "tanzu.vmware.com/v1"
kind: SpringCloudGateway
metadata:
name: my-gateway
spec:
sso:
secret: my-sso-credentials
roles-attribute-name: "groups"
scope=openid,profile,email,groups
client-id=gateway
client-secret=superSecretSecret
issuer-uri=https://dex.acme.co
config:
staticClients:
- name: spring-cloud-gateway
id: gateway
secret: superSecretSecret
redirectURIs:
- https://gateway.acme.co/login/oauth2/code/sso

Demo: Configuration
Place
screenshot
here
33

34
App to gateway
Integrate App to Spring Cloud Gateway
Spring Cloud
Gateway

Demo App - Requirements
https://github.com/spring-cloud-services-samples/animal-rescue
1. All access to front end should not require authentication
2. Adopting animals requires authentication and membership to animal-rescue-adopters group

1. Set the ssoEnabled attribute on a route to
require authenticated access
2. Add the Roles filter to indicate a user
must be in the requested group in order
to access to route
3. Pass the id token to the downstream
service using tokenRelay attribute
Route Configuration
apiVersion: "tanzu.vmware.com/v1"
kind: SpringCloudGatewayRouteConfig
metadata:
name: my-gateway-routes
spec:
service:
namespace: animal-rescue
port: 80
name: animal-rescue-backend
routes:
- ssoEnabled: true
tokenRelay: true
predicates:
- Path=/api/**
filters:
- StripPrefix=1
- Roles=animial-rescue-adoptors

Demo: Let’s configure the app
Place
screenshot
here
37

In Review
Spring Cloud
Gateway

Thank You

Demystify LDAP and OIDC Providing Security to Your App on Kubernetes

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Demystify LDAP and OIDC Providing Security to Your App on Kubernetes

Similar to Demystify LDAP and OIDC Providing Security to Your App on Kubernetes (20)

More from VMware Tanzu

More from VMware Tanzu (20)

Recently uploaded

Recently uploaded (20)

Demystify LDAP and OIDC Providing Security to Your App on Kubernetes