How to setup SAML Authentication in Spinnaker using Okta

Introduction

Security Assertion Markup Language (SAML) is a standard used for user login to different applications like Spinnaker,  based on their logged-in sessions used in another context. This single sign-on (SSO) login standard has significant advantages over logging in using a username/password:

• No need to type in credentials
• No need to remember and renew passwords
• No weak passwords

The scope of this guide is how to set up SAML authentication on Spinnaker using Okta as the Identity Provider.

Pre-Requisites

1. Desired version of the Spinnaker installed
2. Okta account with required users
3. Admin Access to the Okta to add the Spinnaker application

Setting up Okta Account

1. Navigate to https://www.okta.com/
2. Click Signup and register for a new account.
3. Get your Okta Account URL. 

Ex: https://opsmx-dev-admin.okta.com/

Configuring Spinnaker Authentication using SAML with Okta as IDP

1. Configure a Spinnaker application in the Okta.
2. Configure Halyard with Okta application.

  A. Configure a Spinnaker application in the Okta

1. Login to Okta as the administrator (https://opsmx-dev-admin.okta.com/) using administrator Login.
2. Configure Spinnaker as a new SSO Application. ( Navigate to Applications —>Create App Integration —> SAML2.0)
   1. 

      Create a new app integration

3. Provide the Required Name (e.g: Spinnaker) and Logo for the Custom Application.
   1. 

      Create a SAML integration

4. Provide the SAML Settings Configuration.
   1. Single sign-on URL: This is the EndPoint to which Okta will send the SAML responses. For Spinnaker it is basically the Gate URL + /saml/SSO.
      1. Ex: https://test-spin.opsmx.com/gate/saml/SSO
      2. Note: The End point URL should be followed by /saml/SSO.
   2. Audience URI (SP Entity ID): Entity ID here should match with the Issuer ID in Spinnaker Halyard
      1. Ex: spind
   3. Name ID Format : Identifies the SAML processing rules and constraints for the assertion’s subject statement. Use the default value of ‘Unspecified’ unless the application explicitly requires a specific format. Set this to EmailAddress.
   4. Application username: Determines the default value for a user’s application username. The application username will be used for the assertion’s subject statement.  Set this to: Email.
   5. Group Attribute Statements:
      1. Name = memberOf, Name format = Unspecified, Filter = Regex: .*
   6. Click “Next”.
      1. 

         Configure SAML

   7. The Create SAML Integration Feedback page, select the “I’m an Okta customer adding an internal app”   button, then hit the green “Finish” button.
      1. 
   8. Navigate back to this page by going to Applications -> applicationName ->            Sign On tab. Click the button “View Setup Instructions”.This will display the page with configuration information necessary to configure Spinnaker.
   9. Download the Certificate and Save the metadata.xml file to your local. These are required to configure the Spinnaker.
      1. 
   10. Download the Certificate and Save the metadata.xml file to your local. These are required to configure the Spinnaker.

   Finally, you can assign the required Users/Groups to access the Spinnaker Application.

Spinnaker

B. Configure the Halyard to use the Spinnaker Okta for Authentication.

1. Create a SAML KeyStore for Spinnaker

keytool -genkey -v -keystore spinnaker.jks -alias saml -keyalg RSA -keysize 2048 -validity 10000

2. Configure the Spinnaker to use the Okta as SAML Authentication.

hal config security authn saml edit \

--keystore $KEYSTORE_PATH \

--keystore-alias saml \

--keystore-password $KEYSTORE_PASSWORD \

--metadata $METADATA_PATH \

--issuer-id $ISSUER_ID \

--service-address-url $SERVICE_ADDR_URL

      SERVICE_ADDR_URL is the Spinnaker gate endpoint URL.

  3. Enable SAML authentication.

        hal config security authn saml enable

 4.Apply the halyard changes

      hal deploy apply

5. Verify Spinnaker authentication

        Once changes are applied, you can verify Spinnaker authentication. It should take you to the Okta login page and should be able to authenticate to Spinnaker successfully.