Configure OIDC-based SSO by using an ingress gateway - Alibaba Cloud Service Mesh

OpenID Connect (OIDC) is a protocol for identity authentication and authorization. It is commonly used to implement single sign-on (SSO). This topic describes how to configure OIDC-based SSO by using an ingress gateway.

Prerequisites

An application is deployed in the cluster that is added to the ASM instance.
Sidecar injection is enabled for the specified namespace. For more information, see Enable automatic sidecar injection by using multiple methods.
The IP address of the ingress gateway is obtained. For more information, see the section that describes how to view basic information about an ingress gateway.
An identity provider (IdP) is configured. For more information, see Step 1 and Step 2 in Integrate Alibaba Cloud IDaaS with ASM to implement SSO.
After an IdP is configured, you can obtain the following information that will be used in Step5.
```
redirect uri: http://${IP address of the ingress gateway}/oauth2/callback
issuer: https://eiam-api-cn-hangzhou.aliyuncs.com/v2/idaas_tbn25osdlmz6gtqfq3j2pz****/app_ml5tzapsl7zmfo53wb3nwk****/oidc
client id: ********
client secret: *********
```
Note In this example, an Alibaba Cloud IDaaS instance is used as the IdP to implement SSO to applications in ASM. If you use a self-managed OIDC IdP, see Integrate Keycloak with ASM to implement single sign-on.

Procedure

Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose ASM Gateways > Ingress Gateway.
On the Ingress Gateway page, click the ingress gateway that you want to use.
In the left-side navigation pane, choose Gateway Security > OIDC Single Sign-On.

In the OIDC Config step of the configuration wizard, turn on Enable gateway OIDC Single Sign-On, configure the parameters, and then click Next.


Parameter	Description
Redirect address	In this example, this parameter is set to Use ingressgateway IP address.
Callback Address	The URL to which users are redirected after they pass authentication.
Issuer	The URL of the issuer.
ClientID	The client ID provided by the issuer.
Client Secret	The client key provided by the issuer.
Cookie Secret	The seed string for the security cookies, which can be encoded in Base64.
Cookie Expire	The expiration time of the cookie. The cookie is refreshed after the specified time. If you set this parameter to 0, the cookie is not refreshed.
Cookie refresh interval	The interval at which the cookie is refreshed. If you set this parameter to 0, the cookie is not refreshed.
Scopes	The types of user information that can be obtained. The specified scopes must be supported by the issuer.

In the Matching Rule step of the configuration wizard, configure the parameters and click Submit.


Parameter	Description
Match Mode	In this example, Auth If Matched is selected. Valid values: Auth If Matched: Users must log on to access resources in the specified path. Bypass Auth If Matched: Users do not need to log on to access resources in the specified path.
Add Match Rule	Turn on the Path switch and set this parameter to `/productpage`. This configuration indicates that requests to access resources in the `/productpage` path require OIDC authentication.

Then, a message that indicates OIDC-based SSO is successfully configured appears, and native Istio security resources are displayed. You can click YAML to view the resource configurations.

Use a browser to access http://${IP address of the ingress gateway}/productpage to check whether the OIDC-based SSO configuration takes effect.
If the following page appears, it indicates that the access is successful and the OIDC-based SSO configuration takes effect.