This is a walk-thru on the integration of SSO/Keycloak into the OpenShift 3.6 Reference Architecture.

1. SSO for Openshift
Sept 19, 2017
Glenn West

2. Overview
 SSO Integration
 Generate all keys/certs needed
 Setup Openshift Client in Keycloak
 Modify ocp config scripts
 Integrate into single vm and ha ref arch

3. Why SSO
 While ocp support integration of a variety of providers
for single sign-on, all require modifications of config
files
 A Federated solution that can be used for both OCP
and OCP Applications is prefered
 Keycloak gives a complete single-sign on solution
across mulitiple providers with a easy to user user-
interface

4. Automation
 While a existing ref-arch does exist, on the manual
setup, it requires significant keys, and muliple manual
steps
 Using a ansible script, keycloak can be auto
deployed, and integrated with existing reference
architecture(s)

5. Spin Up Single VM Ref Arch

6. During the install

7. During the install

8. During the install

9. During the install

10. During the install

11. During the install

12. OCP Console

13. SSO Login

14. Cluster Admin Login w/SSO

15. SSO Running in OCP

16. SSO/Keycloak App

17. Logged in to SSO

18. SSO Clients – Auto Added

19. SSO Client for OCP

20. Client Details

21. User created for OCP

22. User Details

23. Ocp user

24. Leasons Learned
 Three distinct phases of install all in one ansible script
 Ansible Does REST
 Ansible Variables can be saved across playbooks

25. Articles Published

26. Code
 https://github.com/glennswest/sso4ocp
 PR Pending:
 https://github.com/openshift/openshift-ansible-
contrib/tree/master/reference-architecture/azure-ansible