Identity Provider automated configuration for Opal

[Franck Ratier]

Hello there :)

I'm running Opal on kubernetes.

I've been able to manually configure Google as an IdP manually in the administration panel (adding relevant public url + IdP config).

I've also been able to do it on the server by adding the same 2 pieces of information (the public url in $OPAL_HOME/conf/opal-config.properties as org.obiba.opal.public.url=https://<public_url>, and the IdP config in $OPAL_HOME/conf/oidc/google.json).

I've then tried some kubernetes specific solutions (mounting a volume with the config file where expected, running some commands when the container starts) but they are not working and would not be production compliant anyway.

Before looking into more complex k8s based solutions to this problem, i wanted to ask you if there's a way to automate OIDC at installation time? Maybe some env variables i missed in the docs or something else :)

Thank you,

Franck

[Yannick Marcon]

Hi,

There is no env variable for that. As an alternate solution to mounting the config, I can only propose to use an opal python command to seed the ID providers. Would that work for you?

Regards

Yannick

--
You received this message because you are subscribed to the Google Groups "obiba-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to obiba-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/obiba-users/035e8e2d-4ff3-4197-82ef-fb1270c4fd23n%40googlegroups.com.

[Franck Ratier]

Hi, Yannick,

Thank you, i guess i can try it. Can i do this with the existing commands in the client or do i need to extend it?

Cheers,

Franck

To view this discussion on the web visit https://groups.google.com/d/msgid/obiba-users/CAGrE6os2Tw0C%3Dzowp7iuoX_rGqqHcayMnsRHYtzCWf-BCSfkiw%40mail.gmail.com.

[Yannick Marcon]

You can use the general purpose rest subcommand:

Create/update an ID provider configuration (read from stdin):

opal rest -o https://opal.example.org -u administrator -p xxx -m POST -ct "application/json" /system/idproviders < /path/to/some-oidc.json

Note that the json content is different from the ones in the $OPAL_HOME/conf/oidc/ folder. If you have a working opal instance, just get the list of ID providers as a reference:

opal rest -o https://opal.example.org -u administrator -p xxx -m GET /system/idproviders -j

Yannick

To view this discussion on the web visit https://groups.google.com/d/msgid/obiba-users/CAG2d26EcdujnkXQ3L7PVR4OGPSOuqjJmTwkPr24-fwe1XscipQ%40mail.gmail.com.

[Franck Ratier]

Thanks a lot, i managed to add the idp with the python client as you suggested, but remains the settings of the public url, so i'll try something else.

Cheers,

Franck

To view this discussion on the web visit https://groups.google.com/d/msgid/obiba-users/CAGrE6ouLoGUkC%3DV8HqPwuObyJTPpYMkfVmgNorfoUUczc7BSoA%40mail.gmail.com.

[Yannick Marcon]

I just added an APP_URL env variable to the docker image, it sets the org.obiba.opal.public.url property.

Yannick

To view this discussion on the web visit https://groups.google.com/d/msgid/obiba-users/CAG2d26FF1q7NxNy_K2b0sWvwYP1_7QfPN2vUmOEk-7KFT-CAyw%40mail.gmail.com.

[Franck Ratier]

Oh, great, thanks :)

To view this discussion on the web visit https://groups.google.com/d/msgid/obiba-users/CAGrE6osGHTTTS%3Dw-esnYr0cAM7EpA7%3D7Zw72BYVoP2pSbahNMg%40mail.gmail.com.