Integrating Prisma Cloud with SAML consists of setting up your IdP, then configuring Prisma Cloud to integrate with it. for keycloak integration we will use use ADFS as the IdP.
Integrating Prisma Cloud with SAML consists of setting up your IdP, then configuring Prisma Cloud to integrate with it. For keycloak integration we will use use ADFS as the IdP. Here is the official [SAML documentation](https://docs.paloaltonetworks.com/prisma/prisma-cloud/20-04/prisma-cloud-compute-edition-admin/access_control/integrate_saml)
Setting up Prisma Cloud in Keycloak
1.Follow the keycloak instructions under docs/keycloak named `configure-keycloak.md`
1.These instructions assume that Keycloak is properly installed and configured with a realm other than master.
2. In Keycloak select the baby-yoda realm
2. In Keycloak select the realm
3. On the left column, select "Clients", then new client.
3. On the left column, select "Clients", then click button ```Create```.
4.Select load file and choose the "client.json" if available. If not, use the 'saml_example.json.md' for the correct settings. The client info can be manually entered if the client isn't available. Go into the configuration and select "Save".
4.The client can be manually created. Or the example [twistlock_client.json](twistlock_client.json) can be imported after clicking the ```Create``` button. Make any necessary changes and click ```Save``` button. Example settings:
5. In the left column Create a `Client Scope` for twistlock with a SAML Protocol. Return to yout twistlock client and Add the Client scope to the `Your twistlock client` client.
7. Select the "Installation" tab, the download the connection file in `Mod Auth Mellon format`
_This is needed for the keycloak connection string._
5. In the left column Create a Client Scope (if it does not already exist) named ```twistlock``` with a SAML Protocol. Return to yout twistlock client and on the ```Client Scopes``` add the ```twistlock``` client scope.
8.Create a user in keycloak for twistlock. Add the user to the IL2 Group.
6.Select the "Installation" tab. In the ```Format Option dropdown``` select ```Mod Auth Mellon files```. Then click the ```Download``` button. Information from this file is needed to configure Twistlock.
### The following is required for manual configuration
7. Create a test user in Keycloak for testing the Twistlock SSO authentication.
1. Navigate to the Twistlock URL and create an admin user, then add a license key.
## Twistlock manual SAML configuration
2. Navigate to "Manage" -> "Authentication" in the left navigation bar.
Twistlock SSO integration is manual through the Admnistration UI. When Twistlock is deployed for the first time the login will ask you to create an admin user. Login with the admin user and follow these instructions:
3.Select "SAML" then the enable switch.
1.Navigate to the Twistlock console URL. After installation you will be asked to create an admin user and enter license key.
4. Open the installation file from keycloak.
a. The Identity Provider SSO is `https://keycloak.fences.dsop.io/auth/realms/your-realm/protocol/saml`
b. The Identity Provider is `https://keycloak.fences.dsop.io/auth/realms/your-realm`
c. The root URL is `https://twistlock.fences.dsop.io`
2. Navigate to ```Manage -> Authentication``` in the left navigation bar. Select ```System Certificates``` (it might be in a drop down list if your browser is narrow). Enter the contatenated certificate and private key that matches your console domian. This is necessary so that the twistlock server can do TLS to Keycloak. When you click the ```Save``` button you will be logged out. You will have to log in again with the admin credentials.
5.Paste the client certificate token in the x509 area. The certificate must be in pem format and include the header and footer. When completed select "Save".
3.Navigate to ```Manage -> Authentication``` in the left navigation bar. Select ```SAML``` (it might be in a drop down list if your browser is narrow). Then turn on the enable switch. Use identity provider "Shibboleth". This provider selection was recommended by Twistlock support.
If this fails, the certificate is not formatted correctly. Copy the cert to a file and test its validity.
Copy the certificate into a vi session and ensure there are three lines:
4. Fill in the form. Example values are shown below. Use the values for your IdP. You can get the values from the installation files ```idp-metadata.xml``` and ```sp-metadata.xml``` in the zip archive downloaded from Keycloak from step #6 in the previous section.
a. Identity provider single sign-on URL: this is the Keycleak SAML authentication endpoint. The value can be found inside the ```<SingleSignOnService>``` tag in the ```idp-metadata.xml``` installation file.
b. Identity provider issuer: enter the Keycloak URL path to the realm. The value can be found inside the ```<EntityDescriptor>``` tag in the ```idp-metadata.xml``` installation file.
c. Audience: this is the Keycloak Client ID. The value can be found inside the ```<EntityDescriptor>``` tag as ```entityID``` in the ```sp-metadata.xml``` installation file.
d. Console URL: This is the console URL of the Twistlock app. It is optional
```https://twistlock.bigbang.dev```
e. x509 certificate: This is the certificate from Keycloak. The value can be found inside the ```<dsig:X509Certificate>``` tag in the ```idp-metadata.xml``` installation file. The field must contain 3 lines with the begin and end certificate as show below. Do not leave any blank spaces at the beginning or ending of the 3 lines. If this is not followed exactly the SAML authentication will fail.
```
-----BEGIN CERTIFICATE-----
(certificate from the install file)
-----END CERTIFICATE-----
```
f. When all fields in the web form are completed select "Save".
-----BEGIN CERTIFICATE-----
*note: after SAML is added, the twistlock console will default to the keycloak login page. If you need to bypass the saml auth process add ```#!/login``` the the end of the root url.*
(certificate from step 7 keycloak install file)
-----END CERTIFICATE-----
*note: when SAML is added, the twistlock console will default to keycloak. If you need to bypass the saml auth process add "#!/login" the the end of the root url.*
6. Create a twistlock user using the same name as in step
7. There should be a "SAML box to select. If this selection is not visible, go to a different tab, then return to users.
5. Twistlock SAML SSO does not create the users automatically. Unfortunatly, you must manually create the users before they can log in. Navigate to ```Manage -> Authentication``` in the left navigation bar. Select "Users" in the drop down list. Click the ```Add User``` button to create a twistlock user with the same name as the Keycloak user name. There should be a ```SAML``` auth method button to select. If this selection is not visible, go to a different tab, then return to users.
@@ -11,157 +11,18 @@ This installation follows the Twistlock documented guidance. Twistlock document
The Twistlock Console is deployed as a part of the gitops. Once deployed the process of setting up daemonsets is currently a manual process. For this installation the following information is needed:
## Table of contents
- Application Overview
- Prerequisites
- Deployment
- Initial Configuration
- Daily Application Use
- Integrations
- Prometheus.md
- Elastic.md
- Keycloak.md
- Troubleshooting Tips
### Applicaiton overview
Twistlock monitors Docker for container deployment and Kubernetes for container orchestration, along with other cloud platforms. Twistlock provides continuous monitoring of containers, in addition to multi-tenancy which allows the user to defend, monitor, and manage multiple projects at once. Twistlock allows for adding firewall rules to individual applications, detecting and blocking anomalies, analyzing events, monitoring memory space, monitoring container compliance, and providing customizable access controls. Continuous Integration provides developers with the status of vulnerabilities found with each build they run, as opposed to running a different tool to see the status of each builds’ CVEs and their severity. ACAS has capability to scan entire servers, however, does not provide the container security Twistlock offers. Container security is a leading issue right now and Twistlock provides the tools necessary to address those.
### Prerequisites
* Kubernetes cluster deployed
* Kubernetes config installed in `~/.kube/config`
* Elasticsearch and Kibana deployed to Kubernetes namespace
This package chart is delpoyed as part of the BigBang Umbrella chart.
### Initial Configuration
The application needs a administrator, the license file needs to be installed, then a defender.yaml needs to be generated and deployed. This has been consolidated in a script called twistlock_setup.sh.
This process requires kubectl to be installed and able to communicate with the DSOP cluster.
#### Add an Administrator
Initially there is no users associated with twistlock console. Go to the external URL and add an Administrator account and a password. Alternatively, run the following script:
```
//Add Administrator
if ! curl -k -H 'Content-Type: application/json' -X POST \
https://$TWISTLOCK_EXTERNAL_ROUTE/api/v1/signup; then
echo "Error creating Twistlock Console user $ADMIN_USER"
exit 1
fi
```
#### Install the license
The License can be added directly from the TWISTLOCK_EXTERNAL_ROUTE. When first logging in the admin user will be prompted for a license. The following script will install the license:
```
//License
if ! curl -k \
-u $ADMIN_USER:$ADMIN_PASSWORD \
-H 'Content-Type: application/json' \
-X POST \
-d "{\"key\": \"$LICENSE_KEY\"}" \
https://$TWISTLOCK_EXTERNAL_ROUTE/api/v1/settings/license; then
echo "Error uploading Twistlock license to console"
exit 1
fi
```
Notes: curl has some difficulties with special characters. During the initial setup using a password without special characters is recommended. This password needs to be changed to a complex password or the account removed when keycloak is integrated.
#### Install Defender with Twistcli
Defender can be installed from console, script or by command line. The twistlock CLI is provided as a part of the installation. This can be found in the Manage/System/Download. After download ensure the file is made executable.
```
chmod +x twistcli
```
The "Bearer" token can be found in the twistlock application Manage/Authorization/User Certificates. Alternatively, run the following commands
##### Download the daemonset.yaml. The default Image is set to the Prisma server. The image should be hardened. To pull images from Platform 1. The image URL needs to be changed
