Application Single Sign-On for Service Operators
The following topics tell you how to configure a fully operational authorization server for Application Single Sign-On (commonly called AppSSO).
AuthServer represents the request for an OIDC authorization server. It results in the deployment of an authorization server backed by Redis. A Redis with mTLS is either automatically deployed for AuthServer or credentials to external storage can be provided. You can configure the labels with which clients can select an AuthServer, the namespaces it allows clients from, its issuer URI, its token signature keys, identity providers, and further details for its deployment.
ClusterWorkloadRegistrationClass exposes an AuthServer as a ready-to-claim service offering. Application operators can discover this offering and claim credentials. The mechanisms for this are provided by Services Toolkit. This is the recommended way for offering and consuming AppSSO.
If you just want to get started in a non-production environment, ClusterUnsafeTestLogin is a zero-config API that produces an unsafe, ready-to-claim AppSSO service offering. It is a higher-level alternative to the combination of AuthServer and ClusterWorkloadRegistrationClass.
For a full explanation of the available APIs, refer to the API reference.
The following sections outline the essential steps to configure a fully operational, ready-to-claim AppSSO service offering:
- Configure an unsafe test login
- Annotations and labels
- Issuer URI and TLS
- TLS scenario guides
- CA certificates
- Configure workloads to trust a custom CA
- Identity providers
- Configure authorization
- Public clients and CORS
- Token settings
- Token signatures
- Session settings
- Storage
- AuthServer readiness
- Scale AuthServer
- Curate an AppSSO service offering
