OneLogin
OneLogin is an application that manages authentication for your users on your network, and can provide backend access to Ambassador.
To use OneLogin with Ambassador:
- Create an App Connector
- Gather OneLogin Credentials
- Configure Ambassador
Create an App Connector
To use OneLogin as your IdP, you will first need to create an OIDC custom connector and create an application from that connector.
To do so:
- In your OneLogin portal, select Administration from the top right.
- From the top left menu, select Applications > Custom Connectors and click the New Connector button.
- Give your connector a name.
- Select the
OpenID Connect
option as your "Sign on method." - Use
http(s)://{{AMBASSADOR_URL/.ambassador/oauth2/redirection-endpoint
as the value for "Redirect URI." - Optionally provide a login URL.
- Click the Save button to create the connector. You will see a confirmation message.
- In the "More Actions" tab, select Add App to Connector.
- Select the connector you just created.
- Click the Save button.
You will see a success banner, which also brings you back to the main portal page. OneLogin is now configured to function as an OIDC backend for authentication with Ambassador.
Gather OneLogin Credentials
Next, configure Ambassador to require authentication with OneLogin, so you must collect the client information credentials from the application you just created.
To do so:
- In your OneLogin portal, go to Administration > Applications > Applications.
- Select the application you previously created.
- On the left, select the SSO tab to see the client information.
- Copy the value of Client ID for later use.
- Click the Show Client Secret link and copy the value for later use.
Configure Ambassador
Now you must configure your Ambassador instance to use OneLogin.
- First, create an OAuth Filter with the credentials you copied earlier.
Here is an example YAML:
apiVersion: getambassador.io/v2kind: Filtermetadata:name: oneloginspec:OAuth2:# onelogin openid-configuration endpoint can be found at https://{{subdomain}}.onelogin.com/oidc/.well-known/openid-configurationauthorizationURL: https://{{subdomain}}.onelogin.com/oidcclientID: {{Client ID}}secret: {{Client Secret}}# The protectedOrigin is the scheme and Host of your Ambassador endpointprotectedOrigins:- origin: httpi(s)://{{AMBASSADOR_URL}}
- Next, create a FilterPolicy to use the
Filter
you just created.
Some example YAML:
apiVersion: getambassador.io/v2kind: FilterPolicymetadata:name: oauth-policyspec:rules:# Requires authentication on requests from any hostname- host: "*"# Tells Ambassador to apply the Filter only on request to the /backend/get-quote/ endpoint from the quote applicationpath: /backend/get-quote/# Identifies which Filter to use for the path and host abovefilters:- name: onelogin
- Lastly, apply both the
Filter
andFilterPolicy
you created with akubectl
command in your terminal:
kubectl apply -f onelogin-filter.yamlkubectl apply -f oauth-policy.yaml
Now any requests to https://{{AMBASSADOR_URL}}/backend/get-quote/
will require authentication from OneLogin.
Questions?
We’re here to help. If you have questions, join our Slack or contact us.