Spring Cloud Gateway for VMware Tanzu supports authentication and authorization using the Single Sign-On for VMware Tanzu tile. If you have installed this tile, you can create a Single sign-on for VMware Tanzu service plan for use by Spring Cloud Gateway service instances.
Important: Ensure that the Single Sign-On for VMware Tanzu service plan is either activated for all orgs or specifically activated for the p-spring-cloud-gateway-service
org.
When creating or updating a Spring Cloud Gateway service instance, you can activate SSO for the service instance by specifying the name of the Single Sign-On for VMware Tanzu service plan. When adding route configuration to a service instance, you can use parameters and custom filters provided by Spring Cloud Gateway for VMware Tanzu to incorporate single sign-on functionality for the route.
In Spring Cloud Gateway for VMware Tanzu v1.0.3 and later, the Gateway's authentication session is distinct from client app authentication sessions. If your client app uses Spring Security and Spring Session, its session will be unaffected by a user logging in or logging out through the Gateway and Single Sign-On for VMware Tanzu.
After creating a Single Sign-On for VMware Tanzu service plan to use with Spring Cloud Gateway for VMware Tanzu, you can use the sso.plan
parameter passed to cf create-service
or cf update-service
to configure a Gateway service instance to use Single Sign-On for VMware Tanzu. The Gateway service broker will create a Single Sign-On for VMware Tanzu service instance for the Gateway service instance, using the specified Single Sign-On for VMware Tanzu plan.
To create a Gateway service instance that uses a Single Sign-On for VMware Tanzu service plan called my-sso-plan-for-gateway
, you might run the following command:
$ cf create-service p.gateway standard my-gateway -c '{ "sso": { "plan": "my-sso-plan-for-gateway" } }'
To update an existing Gateway service instance so that it uses a Single Sign-On for VMware Tanzu service plan called my-sso-plan-for-gateway
, you might run the following command:
$ cf update-service my-gateway -c '{ "sso": { "plan": "my-sso-plan-for-gateway" } }'
Important: Updating a gateway instance from using one SSO plan to another will result in downtime. And if a gateway bound app receives SSO credentials through gateway binding credentials, then a rebind is required for the bound app to received the most recent SSO credentials.
If you have configured one or more external identity providers for a Single Sign-On for VMware Tanzu service plan that you wish to use for a Spring Cloud Gateway for VMware Tanzu service instance, you can specify the identity providers using an sso.identity-providers
parameter passed to cf create-service
or cf update-service
. This parameter is a JSON array containing a list of identity provider names configured in a Single Sign-On for VMware Tanzu service plan.
For example, if you have configured an identity provider with originKey
value of google
activated for the Single Sign-On for VMware Tanzu service plan called my-sso-plan-for-gateway
, you can include this identity provider in the configuration for a Gateway service instance using the following command:
$ cf create-service p.gateway standard my-gateway -c '{ "sso": { "plan": "my-sso-plan-for-gateway", "identity-providers": [ "google" ] } }'
If you wish to use a custom attribute from the external identity provider as a role (see the Single Sign-On for VMware Tanzu documentation about custom attributes), you can set the sso.roles-user-attribute-name
parameter. For example, if you have configured an external identity provider called okta
for the Single Sign-On for VMware Tanzu service plan called my-sso-plan-for-gateway
and you want to consider the value of the user attribute department
along with the existing list of roles, you can set the sso.roles-user-attribute-name
parameter to department
as in the following command:
$ cf create-service p.gateway standard my-gateway -c '{ "sso": { "plan": "my-sso-plan-for-gateway", "identity-providers": [ "okta" ], "roles-user-attribute-name": "department" } }'
When creating or updating a Spring Cloud Gateway service instance, you can set the scopes that are available to be used in route configuration for the service instance, by using a scopes
parameter passed to cf create-service
or cf update-service
. This parameter is a JSON array containing a list of scopes, which correspond to resource permissions configured in Single Sign-On for VMware Tanzu. (See the Single Sign-On for VMware Tanzu documentation about Managing Resources.)
To create a Gateway service instance that can use the menu.read
and menu.write
scopes, you might run the following command:
$ cf create-service p.gateway standard my-gateway -c '{ "sso": { "plan": "my-sso-plan-for-gateway", "scopes": ["menu.read", "menu.write"] } }'
See the following sections for information about providing route configuration that uses Single Sign-On for VMware Tanzu. This requires a Spring Cloud Gateway for VMware Tanzu service instance which has been configured to use a Single Sign-On for VMware Tanzu service plan (see Configuring a Gateway Service Instance to Use Single Sign-On for VMware Tanzu).
To cause a Spring Cloud Gateway for VMware Tanzu service instance route to incorporate a login flow using the Gateway service instance's associated Single Sign-On for VMware Tanzu service instance, you can set the sso-enabled
parameter to true
, which will activate the dedicated SsoLogin
filter. You can set this parameter in the route JSON object given to the cf bind-service
, cf create-service
, or cf create update-service
commands.
For instance, to bind an app called greeter
to a Gateway service instance, adding one route for the app and redirecting the route's requests to Single Sign-On for VMware Tanzu to provide a login flow, you might run the following command:
$ cf bind-service greeter my-gateway -c '{"routes": [ {"path": "/greeting/**",
"sso-enabled": true} ] }'
You can also manually add the SsoLogin
filter by including it in the list of filters
in the JSON object for the route:
$ cf bind-service cook my-gateway -c '{ "routes": [ { "path": "/cook/**", "filters": ["SsoLogin"] } ] }'
The Roles
filter uses Single Sign-On for VMware Tanzu to restrict access to a route, so that only users with the specified roles can access the route.
When adding a route to a Gateway service instance, you can set the sso-enabled
parameter to true
and add the dedicated roles
filter by setting the roles
parameter in the JSON object for the route. This parameter should list the roles that are allowed to access the route. You can include it in the route's JSON object given to the cf bind-service
, cf create-service
, or cf create update-service
commands.
For example, to bind an app called cook
to a Gateway service instance, adding one route for the app, redirecting the route's requests to Single Sign-On for VMware Tanzu to provide a login flow, and restricting access to users with the ADMIN
role, you might run the following command:
$ cf bind-service cook my-gateway -c '{ "routes": [ { "path": "/cook/**", "sso-enabled": true, "roles": ["ADMIN"] } ] }'
If the roles
parameter is set for a route, the Gateway service instance uses the Roles
filter (with the provided list of roles) for that route.
You can also manually add the Roles
filter by including it in the list of filters
in the JSON object for the route:
$ cf bind-service cook my-gateway -c '{ "routes": [ { "path": "/cook/**", "sso-enabled": true, "filters": ["Roles=ADMIN"] } ] }'
To cause an app to request permission scopes for a resource when authenticating a user using Spring Cloud Gateway for VMware Tanzu and Single Sign-On for VMware Tanzu, you can set the sso-enabled
parameter to true
and add the dedicated Scopes
filter by setting the scopes
parameter in the JSON object for the route. This parameter should list the scopes that the app will request. You can include it in the route's JSON object given to the cf bind-service
, cf create-service
, or cf create update-service
commands.
For instance, to bind an app called greeter
to a Gateway service instance, adding one route for the app, redirecting the route's requests to Single Sign-On for VMware Tanzu to provide a login flow, and requesting the greeting.read
scope, you might run the following command:
$ cf bind-service greeter my-gateway -c '{"routes": [ {"path": "/greeting/**",
"sso-enabled": true, "scopes": ["greeting.read"] } ] }'
When a user is authenticated through Single Sign-On for VMware Tanzu while reaching the app through the Gateway service instance, the Single Sign-On for VMware Tanzu service instance will present a page requesting the user to grant access to the greeting.read
scope for the app. The user can then authorize or deny this scope for the app.
If the scopes
parameter is set for a route, the Gateway service instance uses the Scopes
filter (with the provided list of scopes to request) for that route.
You can also manually add the Scopes
filter by including it in the list of filters
in the JSON object for the route:
$ cf bind-service cook my-gateway -c '{ "routes": [ { "path": "/cook/**",
"sso-enabled": true, "filters": ["Scopes=menu.read"] } ] }'
An app that receives traffic through a Spring Cloud Gateway for VMware Tanzu service instance and permits SSO should request all scopes that the app itself requires, as well as any scopes that are required by APIs which the app uses.
For example, an order app may provide APIs through a Gateway service instance, using the following route configuration:
{
"routes": [
{
"path": "/history",
"sso-enabled": true,
"scopes": [
"order.history"
]
},
{
"path": "/order/**",
"sso-enabled": true,
"scopes": [
"order.read"
]
}
]
}
If a front-end app then calls the history
and order
APIs, that front-end app should request all scopes required by those APIs--in this case, the order.history
and order.read
scopes. You might bind the front-end app to the Gateway service instance using the following route configuration:
{
"routes": [
{
"path": "/**",
"sso-enabled": true,
"scopes": [
"order.read",
"order.history"
]
}
]
}
The TokenRelay
filter uses Single Sign-On for VMware Tanzu to pass a currently-authenticated user's identity token to the app when the user accesses the app's route.
When adding a route to a Gateway service instance, you can add the TokenRelay
filter by setting the token-relay
parameter in the JSON object for the route. For example, when binding an app called "cook" to a Gateway service instance, you can add a route for the app and set token-relay
to true
for that route:
$ cf bind-service cook my-gateway -c '{ "routes": [ { "path": "/cook/**", "sso-enabled": true, "token-relay": true } ] }'
If the token-relay
parameter is set to true
for a route, the Gateway service instance uses the TokenRelay
filter for that route.
You can also manually add the TokenRelay
filter by including it in the list of filters
in the JSON object for the route:
$ cf bind-service cook my-gateway -c '{ "routes": [ { "path": "/cook/**", "filters": ["SsoLogin", "TokenRelay"] } ] }'
Spring Cloud Gateway for VMware Tanzu service instances provide a default API endpoint to log out of the current SSO session. The path to this endpoint is /scg-logout
. There are two different outcomes that can be accomplished depending on how the log out endpoint is called: log out of session and redirect to UAA log out or only log out the service instance session.
Sending a GET
request to the /scg-logout
endpoint then it will send a 302
redirect response to the UAA log out URL. In order for user to be returned back to a path on the Gateway service instance, you can add a redirect
parameter to the GET /scg-logout
request. For example, if a user goes to ${gatewayUrl}/scg-logout?redirect=/home
in their browser they will be redirected back to ${gatewayUrl}/home
after logging out of UAA.
Important: The value of the redirect
parameter is a valid path
on the Gateway service instance. You cannot redirect to an external URL.
If the GET
request to the /scg-logout
is sent using a XMLHttpRequest (XHR), then the 302
redirect could be swallowed and not handled in the response handler. In this case, the user would only be logged out of the SSO session on the Gateway service instance and would still have a valid UAA session. The behavior typically seen in this case is that if the user attempts to login again they are automatically sent back to gateway as authenticated from UAA.