UNCLASSIFIED

Commit 5946830b authored by runyontr's avatar runyontr
Browse files

Merge branch 'docs-bb-809' into 'main'

Documentation for SSO Keycloak integration

See merge request !4
parents 86281d5d b4e07d86
# Keycloak.md
# Keycloak integration
- Configuration items
- Add new groups
......@@ -7,53 +7,61 @@
## Integrating with SAML
Integrating Prisma Cloud with SAML consists of setting up your IdP, then configuring Prisma Cloud to integrate with it. for keycloak integration we will use use ADFS as the IdP.
Integrating Prisma Cloud with SAML consists of setting up your IdP, then configuring Prisma Cloud to integrate with it. For keycloak integration we will use use ADFS as the IdP. Here is the official [SAML documentation](https://docs.paloaltonetworks.com/prisma/prisma-cloud/20-04/prisma-cloud-compute-edition-admin/access_control/integrate_saml)
Setting up Prisma Cloud in Keycloak
1. Follow the keycloak instructions under docs/keycloak named `configure-keycloak.md`
1. These instructions assume that Keycloak is properly installed and configured with a realm other than master.
2. In Keycloak select the baby-yoda realm
2. In Keycloak select the realm
3. On the left column, select "Clients", then new client.
3. On the left column, select "Clients", then click button ```Create```.
4. Select load file and choose the "client.json" if available. If not, use the 'saml_example.json.md' for the correct settings. The client info can be manually entered if the client isn't available. Go into the configuration and select "Save".
4. The client can be manually created. Or the example [twistlock_client.json](twistlock_client.json) can be imported after clicking the ```Create``` button. Make any necessary changes and click ```Save``` button. Example settings:
5. In the left column Create a `Client Scope` for twistlock with a SAML Protocol. Return to yout twistlock client and Add the Client scope to the `Your twistlock client` client.
Client ID: il2_a8604cc9-f5e9-4656-802d-d05624370245_twistlock
Client Protocol: saml
6. Back in the Client configuration, under "Scope" Add the twistlock scope just created.
Settings TAB (accept defaults except for the following)
Name: twistlock
Sign Assertions: ON
Client Signature Required: OFF
Root URL: https://twistlock.bigbang.dev/api/v1/authenticate
Valid Redirect URIs: *
7. Select the "Installation" tab, the download the connection file in `Mod Auth Mellon format`
_This is needed for the keycloak connection string._
5. In the left column Create a Client Scope (if it does not already exist) named ```twistlock``` with a SAML Protocol. Return to yout twistlock client and on the ```Client Scopes``` add the ```twistlock``` client scope.
8. Create a user in keycloak for twistlock. Add the user to the IL2 Group.
6. Select the "Installation" tab. In the ```Format Option dropdown``` select ```Mod Auth Mellon files```. Then click the ```Download``` button. Information from this file is needed to configure Twistlock.
### The following is required for manual configuration
7. Create a test user in Keycloak for testing the Twistlock SSO authentication.
1. Navigate to the Twistlock URL and create an admin user, then add a license key.
## Twistlock manual SAML configuration
2. Navigate to "Manage" -> "Authentication" in the left navigation bar.
Twistlock SSO integration is manual through the Admnistration UI. When Twistlock is deployed for the first time the login will ask you to create an admin user. Login with the admin user and follow these instructions:
3. Select "SAML" then the enable switch.
1. Navigate to the Twistlock console URL. After installation you will be asked to create an admin user and enter license key.
4. Open the installation file from keycloak.
a. The Identity Provider SSO is `https://keycloak.fences.dsop.io/auth/realms/your-realm/protocol/saml`
b. The Identity Provider is `https://keycloak.fences.dsop.io/auth/realms/your-realm`
c. The root URL is `https://twistlock.fences.dsop.io`
2. Navigate to ```Manage -> Authentication``` in the left navigation bar. Select ```System Certificates``` (it might be in a drop down list if your browser is narrow). Enter the contatenated certificate and private key that matches your console domian. This is necessary so that the twistlock server can do TLS to Keycloak. When you click the ```Save``` button you will be logged out. You will have to log in again with the admin credentials.
5. Paste the client certificate token in the x509 area. The certificate must be in pem format and include the header and footer. When completed select "Save".
3. Navigate to ```Manage -> Authentication``` in the left navigation bar. Select ```SAML``` (it might be in a drop down list if your browser is narrow). Then turn on the enable switch. Use identity provider "Shibboleth". This provider selection was recommended by Twistlock support.
If this fails, the certificate is not formatted correctly. Copy the cert to a file and test its validity.
Copy the certificate into a vi session and ensure there are three lines:
4. Fill in the form. Example values are shown below. Use the values for your IdP. You can get the values from the installation files ```idp-metadata.xml``` and ```sp-metadata.xml``` in the zip archive downloaded from Keycloak from step #6 in the previous section.
a. Identity provider single sign-on URL: this is the Keycleak SAML authentication endpoint. The value can be found inside the ```<SingleSignOnService>``` tag in the ```idp-metadata.xml``` installation file.
```https://keycloak.bigbang.dev/auth/realms/baby-yoda/protocol/saml```
b. Identity provider issuer: enter the Keycloak URL path to the realm. The value can be found inside the ```<EntityDescriptor>``` tag in the ```idp-metadata.xml``` installation file.
```https://keycloak.bigbang.dev/auth/realms/baby-yoda```
c. Audience: this is the Keycloak Client ID. The value can be found inside the ```<EntityDescriptor>``` tag as ```entityID``` in the ```sp-metadata.xml``` installation file.
```il2_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_twistlock```
d. Console URL: This is the console URL of the Twistlock app. It is optional
```https://twistlock.bigbang.dev```
e. x509 certificate: This is the certificate from Keycloak. The value can be found inside the ```<dsig:X509Certificate>``` tag in the ```idp-metadata.xml``` installation file. The field must contain 3 lines with the begin and end certificate as show below. Do not leave any blank spaces at the beginning or ending of the 3 lines. If this is not followed exactly the SAML authentication will fail.
```
-----BEGIN CERTIFICATE-----
(certificate from the install file)
-----END CERTIFICATE-----
```
f. When all fields in the web form are completed select "Save".
-----BEGIN CERTIFICATE-----
*note: after SAML is added, the twistlock console will default to the keycloak login page. If you need to bypass the saml auth process add ```#!/login``` the the end of the root url.*
(certificate from step 7 keycloak install file)
-----END CERTIFICATE-----
*note: when SAML is added, the twistlock console will default to keycloak. If you need to bypass the saml auth process add "#!/login" the the end of the root url.*
6. Create a twistlock user using the same name as in step
7. There should be a "SAML box to select. If this selection is not visible, go to a different tab, then return to users.
5. Twistlock SAML SSO does not create the users automatically. Unfortunatly, you must manually create the users before they can log in. Navigate to ```Manage -> Authentication``` in the left navigation bar. Select "Users" in the drop down list. Click the ```Add User``` button to create a twistlock user with the same name as the Keycloak user name. There should be a ```SAML``` auth method button to select. If this selection is not visible, go to a different tab, then return to users.
......@@ -11,157 +11,18 @@ This installation follows the Twistlock documented guidance. Twistlock document
The Twistlock Console is deployed as a part of the gitops. Once deployed the process of setting up daemonsets is currently a manual process. For this installation the following information is needed:
## Table of contents
- Application Overview
- Prerequisites
- Deployment
- Initial Configuration
- Daily Application Use
- Integrations
- Prometheus.md
- Elastic.md
- Keycloak.md
- Troubleshooting Tips
### Applicaiton overview
Twistlock monitors Docker for container deployment and Kubernetes for container orchestration, along with other cloud platforms. Twistlock provides continuous monitoring of containers, in addition to multi-tenancy which allows the user to defend, monitor, and manage multiple projects at once. Twistlock allows for adding firewall rules to individual applications, detecting and blocking anomalies, analyzing events, monitoring memory space, monitoring container compliance, and providing customizable access controls. Continuous Integration provides developers with the status of vulnerabilities found with each build they run, as opposed to running a different tool to see the status of each builds’ CVEs and their severity. ACAS has capability to scan entire servers, however, does not provide the container security Twistlock offers. Container security is a leading issue right now and Twistlock provides the tools necessary to address those.
### Prerequisites
* Kubernetes cluster deployed
* Kubernetes config installed in `~/.kube/config`
* Elasticsearch and Kibana deployed to Kubernetes namespace
Install kubectl
```
brew install kubectl
```
Install kustomize
```
brew install kustomize
```
### Deployment
Clone repository
```
git clone https://repo1.dsop.io/platform-one/apps/twistlock.git
cd twstlock
```
Apply kustomized manifest
```
kubectl -k ./
```
This package chart is delpoyed as part of the BigBang Umbrella chart.
### Initial Configuration
The application needs a administrator, the license file needs to be installed, then a defender.yaml needs to be generated and deployed. This has been consolidated in a script called twistlock_setup.sh.
The Variables required are as follows:
```
//Environment
$ ADMIN_USER=Administrator
$ ADMIN_PASSWORD=< my password>
$ TWISTLOCK_EXTERNAL_ROUTE=twistlock.fences.dsop.io
$ LICENSE_KEY=
$ TOKEN=<Generated Bearer token Manage/Authentication/User Certificates>
```
This process requires kubectl to be installed and able to communicate with the DSOP cluster.
#### Add an Administrator
Initially there is no users associated with twistlock console. Go to the external URL and add an Administrator account and a password. Alternatively, run the following script:
```
//Add Administrator
if ! curl -k -H 'Content-Type: application/json' -X POST \
-d "{\"username\": \"$ADMIN_USER\", \"password\": \"$ADMIN_PASSWORD\"}" \
https://$TWISTLOCK_EXTERNAL_ROUTE/api/v1/signup; then
echo "Error creating Twistlock Console user $ADMIN_USER"
exit 1
fi
```
#### Install the license
The License can be added directly from the TWISTLOCK_EXTERNAL_ROUTE. When first logging in the admin user will be prompted for a license. The following script will install the license:
```
//License
if ! curl -k \
-u $ADMIN_USER:$ADMIN_PASSWORD \
-H 'Content-Type: application/json' \
-X POST \
-d "{\"key\": \"$LICENSE_KEY\"}" \
https://$TWISTLOCK_EXTERNAL_ROUTE/api/v1/settings/license; then
echo "Error uploading Twistlock license to console"
exit 1
fi
```
Notes: curl has some difficulties with special characters. During the initial setup using a password without special characters is recommended. This password needs to be changed to a complex password or the account removed when keycloak is integrated.
#### Install Defender with Twistcli
Defender can be installed from console, script or by command line. The twistlock CLI is provided as a part of the installation. This can be found in the Manage/System/Download. After download ensure the file is made executable.
```
chmod +x twistcli
```
The "Bearer" token can be found in the twistlock application Manage/Authorization/User Certificates. Alternatively, run the following commands
```
//Windows twistcli:
curl --progress-bar -L -k --header "authorization: Bearer $TOKEN" https://twistlock.fences.dsop.io/api/v1/util/windows/twistcli.exe > twistcli.exe;
```
```
Linux twistcli:
curl --progress-bar -L -k --header "authorization: Bearer $TOKEN" https://twistlock.fences.dsop.io/api/v1/util/twistcli > twistcli; chmod a+x twistcli;
```
```
Mac OS twistcli:
curl --progress-bar -L -k --header "authorization: Bearer TOKEN" https://twistlock.fences.dsop.io/api/v1/util/osx/twistcli > twistcli; chmod a+x twistcli;
```
#### Install Defender
1) Download Daemonset
The following command can be authenticated by TOKEN or Username/Password.
```
./twistcli defender export kubernetes --namespace twistlock --privileged --cri --monitor-service-accounts --monitor-istio --user $ADMIN_USER --password $ADMIN_PASSWORD --address https://$TWISTLOCK_EXTERNAL_ROUTE --cluster-address twistlock-console:8084
```
##### Download the daemonset.yaml. The default Image is set to the Prisma server. The image should be hardened. To pull images from Platform 1. The image URL needs to be changed
##### Image: registry.dsop.io/platform-one/apps/twistlock/defender:20.04.163_ib
Note: The Console and Defender must use the same version. If your deploymnet is using 20.04.169 then edit the image accordingly.
2) Install Defender
```
kubectl apply -f defender.yaml
```
The initial login will ask you to create an admin user, and set license key.
### Install Defender from the Console UI
......
"clientId": "unique_clinet_id__twistlock",
{
"clientId": "il2_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_twistlock",
"name": "twistlock",
"rootUrl": "https://twistlock.fences.dsop.io/api/v1/authenticate",
"rootUrl": "https://twistlock.bigbang.dev/api/v1/authenticate",
"surrogateAuthRequired": false,
"enabled": true,
"alwaysDisplayInConsole": false,
......@@ -27,7 +28,7 @@
"saml.server.signature": "true",
"saml.server.signature.keyinfo.ext": "false",
"exclude.session.state.from.auth.response": "false",
"saml.signing.certificate": "this is populated from a previous export and will be recreated",
"saml.signing.certificate": "MIIC8zCCAdsCBgFzK/Jw/zANBgkqhkiG9w0BAQsFADA9MTswOQYDVQQDDDJpbDJfMDBlYjg5MDQtNWI4OC00YzY4LWFkNjctY2VjMGQyZTA3YWE2X3R3aXN0bG9jazAeFw0yMDA3MDgwMTAxMTVaFw0zMDA3MDgwMTAyNTVaMD0xOzA5BgNVBAMMMmlsMl8wMGViODkwNC01Yjg4LTRjNjgtYWQ2Ny1jZWMwZDJlMDdhYTZfdHdpc3Rsb2NrMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAk/mEM2QcS2vQbHX1TPP2hhqIrmRq6DL7APlFfwd3vBrA2Dg8mKKpwujaXiqwuHc80CsI4GV2+LHxiLsKn9lwvfFcAl0rw0ZXiMRJFcBm81qnnn6xCE2q5AyItwWOaHgSx6koRMmEZ/VANKGCNAtabAqjP4aV/fnPaXODceBiB1RPernzBeZe7aGmXtfL/3lC6rdDkzuu+BZLE/Y7Jfq9FLCF+ItzlKlWDF59rM9t4mLAv0Io7YOd66HPG5EzckFkbnp6QpNbCeW4NYCle4zEx8gj2hVOjoZwAsx9XLy2+Bvqj7nr527/EnHc+4QfRGS1ZFUzPgA458kke/RgG3Nf5QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQA6leKQaiQfCW6k2jQViliVwSbYMGZa8jP1RYaW3bl7U7pu5RlGoAPFG8K4NO8N+vrS2L7Vrs4iirgxRDwGvmcA3RzhNsmXPMoFKX+rbiUPB4N0wbL/AnL5c9Viig7qe/MJuRbiwZJPzxI2QiQXzXzu+pRGANlwAusn8hoxdyaFSdfs3TgOVk+wPN/EKqylIUjedTknGn4vZoom6SnSAHXFvgeygV089BpvLnHgcQWwJdn5jDyBwreoL0XUm8e9kFctwYsrWnGhK2ohIy2v9Td0HaaICe8qrsmdxz6CUHBo3yQ0WUieC8+oLAQra6FfnyHCnE1cDnrfuzZo5DmWi0gb",
"saml.signature.algorithm": "RSA_SHA256",
"saml_force_name_id_format": "false",
"saml.client.signature": "false",
......@@ -35,7 +36,7 @@
"saml.authnstatement": "true",
"display.on.consent.screen": "false",
"saml_name_id_format": "username",
"saml.signing.private.key": "this will be populated with a key from a previous install if importing a json client description",
"saml.signing.private.key": "MIIEpAIBAAKCAQEAk/mEM2QcS2vQbHX1TPP2hhqIrmRq6DL7APlFfwd3vBrA2Dg8mKKpwujaXiqwuHc80CsI4GV2+LHxiLsKn9lwvfFcAl0rw0ZXiMRJFcBm81qnnn6xCE2q5AyItwWOaHgSx6koRMmEZ/VANKGCNAtabAqjP4aV/fnPaXODceBiB1RPernzBeZe7aGmXtfL/3lC6rdDkzuu+BZLE/Y7Jfq9FLCF+ItzlKlWDF59rM9t4mLAv0Io7YOd66HPG5EzckFkbnp6QpNbCeW4NYCle4zEx8gj2hVOjoZwAsx9XLy2+Bvqj7nr527/EnHc+4QfRGS1ZFUzPgA458kke/RgG3Nf5QIDAQABAoIBAQCAmPjuHJOGbDUe/UhoTyCwnMCqJjTOhPekef2OjvPcsrdjcUQgNkUoUWrtKVaZiW59TtkRArzpFuPcuwhZsQOM3wPiPgx5UVljT4pgb+xIk0FWua2qlKzuMYJi5F5FpgxUHksTtLnwCrB4zN+10SQM/xWucI1Lwl0hvLTAM4ud563lIthzoTkYZDnNId0IVtRoViPbk5CtqDIcFbzTCngARPzRsdhPMZnO3f8EPOHAtz/oeDWxqDXLPr9Cp5rQII57um4UInoBm8knU8W+BzUjLNxwywFS/BQD9EMJcPt5NgAxq0/owlakP5rqwZobsPL5B0Qk0bz+UbiH12Cv32jFAoGBAORkcDakBrJiaidO4O0mL5lhpiHHelmCs/UQP/P3Cat4DlUMJ3xfMJKVphdsnnEZrsApEP/rSN8aSxr5+fyj5OhLy9KyEcYE0G6w5NyMKOBgmkpEfn7ygfH5qZzVpbIk/hDTybaYS4Ox4/suZHaDc6LvOReTVufTyjIKT2gDLJtLAoGBAKXckTj/c/whS8IHRwZtypGvdXaq5YCMiGTx5BNkG+v7lfS3oLi2nI9XGI+qIRNyztVTYrkt5GTqaHprxMHvIrFcgOFvymtZMLqWjVDfHWZeJ1IdAp4fO1QfKxtm0BZQH4nq2RfveaP4qlQn3vGqqAUfHoDFknh5fT3wrkHoLEOPAoGADYkWTWazLuc+O04lbmiQ8Zoj6mSUD7H7UE7CO4csf4kB8HBj9q79hfJwgXriePl4rdLBOymKjA5W3SZrdlmQO2QilD4RZ5bpc2XwalG0KngPLM+aX5Ont9t//dd7lm8yz3R9w+CKuSdVx5EcSxnHRKTA0XDd+adHmGecBSILBrkCgYBZQa1VAwOjtzdRnyD1sLfGVqnbxnPjDb2ItTOLy9/KyoUUQI1ZWcw+xxwMk/1gvfPYkRsblDrIo+y9lKk5xDrjP2iL6OEBi+nRP5uk3aywnhKC+eGiviPrTSqhgF6S42NVkPBrFRBc0UC4MQyk+LWaq/h6S9haxOZFIvRju1G2uQKBgQCpDkf1NQiNPqYB4HxFsO0wVs+IrxY+2PlBQffOagVy/sgoj7M7ux0wRjn5tMSv3BUPLQxwfnxhXzTJqXls7+lThgyHFc01uO+IUew0H2t+SAfG8eRzyKJExeLt/zszDlKWJEMnbmFGheGrilTnOwF7hVaVo9HpQEf5POgdWI/Erg==",
"saml_signature_canonicalization_method": "http://www.w3.org/2001/10/xml-exc-c14n#",
"saml.onetimeuse.condition": "false"
},
......
#!/bin/bash
#The "Bearer" token can be found in the twistlock application Manage/Authorization/User Certificates. Alternatively, run the following commands
TWISTLOCK_CONSOLE_USER=Administrator
TWISTLOCK_CONSOLE_PASSWORD=Passw0rd! # Don't use thes
TWISTLOCK_EXTERNAL_ROUTE=twistlock.fences.dsop.io
# set Twistlock console user/pass
if ! curl -k -H 'Content-Type: application/json' -X POST \
-d "{\"username\": \"$TWISTLOCK_CONSOLE_USER\", \"password\": \"$TWISTLOCK_CONSOLE_PASSWORD\"}" \
https://$TWISTLOCK_EXTERNAL_ROUTE/api/v1/signup; then
echo "Error creating Twistlock Console user $TWISTLOCK_CONSOLE_USER"
exit 1
fi
# Set Twistlock license. Using default user/pass
if ! curl -k \
-u $TWISTLOCK_CONSOLE_USER:$TWISTLOCK_CONSOLE_PASSWORD \
-H 'Content-Type: application/json' \
-X POST \
-d "{\"key\": \"$TWISTLOCK_LICENSE\"}" \
https://$TWISTLOCK_EXTERNAL_ROUTE/api/v1/settings/license; then
echo "Error uploading Twistlock license to console"
exit 1
fi
curl -sSLk -u $TWISTLOCK_CONSOLE_USER:$TWISTLOCK_CONSOLE_PASSWORD https://$TWISTLOCK_EXTERNAL_ROUTE/api/v1/util/twistcli > twistcli
chmod +x ./twistcli
# Change the image tag to reflect Platform One registry:
# registry.dsop.io/platform-one/apps/twistlock/defender:20.04.169
./twistcli defender export kubernetes --namespace twistlock --privileged --cri --monitor-service-accounts --monitor-istio --user $TWISTLOCK_CONSOLE_USER --password $TWISTLOCK_CONSOLE_PASSWORD --address https://$TWISTLOCK_EXTERNAL_ROUTE --cluster-address twistlock-console:8084
# kubectl apply -f ./defender
#setup logging to stdout
if ! curl -k \
-u $TWISTLOCK_CONSOLE_USER:$TWISTLOCK_CONSOLE_PASSWORD \
-H 'Content-Type: application/json' \
-X POST \
-d \
'{
"stdout": {
"enabled": true,
"verboseScan": true,
"allProcEvents": true,
}
}' \
https://$TWISTLOCK_EXTERNAL_ROUTE/api/v1/settings/logging; then
echo "Error editing syslog settings on console"
exit 1
fi
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment