Vault

Vault SPI

You can use the vault SPI to write custom extension for Red Hat Single Sign-On that connects to an arbitrary vault implementation.

Integrating Red Hat Single Sign-On with CyberArk Conjur for secrets management

This chapter explains how to integrate Red Hat Single Sign-On with Conjur using the Vault SPI. For the demo, we will obtain the 389 Directory Server credentials of the cn=Directory Manager user stored in Conjur that has to be used by Red Hat Single Sign-On for the user federation.

Setup steps:

  • Run the provided Conjur OSS community collection provided with this workshop.

conjur

  • Create the admin account demoAccount.

conjurctl account create demoAccount > /tmp/admin_data

The admin_data file contains the public key and the API key of the admin user on that account.

  • Load the provided Conjur policy and create a secret for the demo by running the following commands in the terminal:

APIKEY=$(sed -n '/API/ s/.*: *//p' /tmp/admin_data)

TOKEN=$(curl --header "Accept-Encoding: base64" -d $APIKEY https://$CONJUR_HOST/authn/demoAccount/admin/authenticate)

curl -H "Authorization: Token token=\"${TOKEN}\"" -d "$(< policy.yml)" https://$CONJUR_HOST/policies/demoAccount/policy/root

curl -H "Authorization: Token token=\"${TOKEN}\"" -d "password" https://$CONJUR_HOST/secrets/demoAccount/variable/ldap/password
we are using the REST API, but other approaches like Conjur CLI (or others) can also be used.

  • Export the required environment variables.

instead of exporting the Conjur API required configuration as environment variables, it can also be configured with SPI provider properties. 
export CONJUR_ACCOUNT=demoAccount
export CONJUR_AUTHN_API_KEY=$APIKEY
export CONJUR_APPLIANCE_URL=https://$CONJUR_HOST
export CONJUR_AUTHN_LOGIN=admin

  • Deploy the extension and configure the SPI.

/subsystem=keycloak-server/spi=vault:add
/subsystem=keycloak-server/spi=vault/provider=conjur-vault:add(enabled=true)
/subsystem=keycloak-server/spi=vault:write-attribute(name=default-provider,value=conjur-vault)
:reload

Ensure that the 389 Directory Server is up and running and that you have deployed the Conjur extension and configured the Vault SPI as described in the previous steps.

</dev/tcp/<389_HOST>/3389

  • Open a browser window and log in to the Red Hat Single Sign-On administration web console.

  • Select the Demo realm.

  • Click User Federation.

sso user federation

  • Select ldap as the provider.

sso ldap provider

  • Fill in the user federation provider settings with the appropiate values for your LDAP server. Click the Test connection button to check the connection. If successful, you should see a message saying "Success! LDAP connection successful".

ldap conn test

  • Test the authentication with a random wrong password. It should fail.

ldap failed auth

  • Enter the field as the vault value, ${vault.ldap/password} for the Bind Credential field. Test the authentication again. It should now work.

ldap ok auth