The following topics tell you how to configure a fully operational authorization server for Application Single Sign-On (commonly called AppSSO).
AuthServer
represents the request for an OIDC authorization server. It results in the deployment of an authorization server backed by Redis. A Redis with mTLS is either automatically deployed for AuthServer
or credentials to external storage can be provided. You can configure the labels with which clients can select an AuthServer
, the namespaces it allows clients from, its issuer URI, its token signature keys, identity providers, and further details for its deployment.
ClusterWorkloadRegistrationClass
exposes an AuthServer
as a ready-to-claim service offering. Application operators can discover this offering and claim credentials. The mechanisms for this are provided by Services Toolkit. This is the recommended way for offering and consuming AppSSO.
If you just want to get started in a non-production environment, ClusterUnsafeTestLogin
is a zero-config API that produces an unsafe, ready-to-claim AppSSO service offering. It is a higher-level alternative to the combination of AuthServer
and ClusterWorkloadRegistrationClass
.
For a full explanation of the available APIs, refer to the API reference.
The following sections outline the essential steps to configure a fully operational, ready-to-claim AppSSO service offering: