Enable Red Hat Single Sign-On in 3Scale Admin Portal

If you are interested in inviting users to the 3Scale Admin Portal, please refer to my blog [1] on “Inviting users and managing rights in the 3Scale Admin Portal”.

Red Hat 3Scale API Management is installed with a default administrator account named admin and the password can be retrieved by executing the command below.

oc get secret system-seed -o json | jq -r .data.ADMIN_PASSWORD | base64 -d

There are 2 types of users in Red Hat 3Scale API Management

• Admins: Which have full access to all areas and services, and can invite other members
• Members: Which have limited access to areas of the product (e.g. Analytics, Developer Portal).

This blog is about enabling Red Hat Single Sign-On for 3Scale Admin Portal.

Prerequisites

Red Hat Integration — 3Scale Operator Version 2.11 and Red Hat SSO Operator Version 7.5.1 are installed into the Openshift Cluster Version 4.9.

To install Red Hat Integration — 3Scale Operator, please refer to [2].

To install Red Hat SSO Operator, please refer to [3].

There is a need to configure a SMTP server in Red Hat 3Scale so the user will be notified to activate their account in Red Hat 3Scale via their email address specified in Red Hat SSO.

Please refer to my blog [1] on “Inviting users and managing rights in the 3Scale Admin Portal” to install MailDev as a Non-Production SMTP server and configure it as SMTP Server in Red Hat 3scale.

Configure Client in Red Hat SSO

1. Login to SSO Admin Portal as administrator.
2. Create a new realm as admin-portal.
3. Add a new user and set the password. Please ensure that the Temporary is toggled as “Turn Off” when setting the password.
4. Add a new attribute to this user. In this example, we used the attribute with the name as portal with the value of 3scale. This attribute name and value can be any value. We will reference this attribute in step 8 to create a mapper to auto-create this user as an account in Red Hat 3Scale

5. Create a new client with the name set as 3scale. Set Access Type as confidential, enable Standard Flow and Direct Access Grants. Set the root url as the 3scale admin portal URL and Valid Redirect URLs as your 3scale admin portal URL/*.

6. Click on the Mappers tab. Click on the Add BuiltIn button. Select “email verified”. 3scale requires that the email_verified claim of the user data is set to true. In order to map the “Email Verified” user attribute to the email_verified claim.

7. Click on Create button.

8. Set Mapper Type as User Attribute.

9. Set Name, User Attribute and Token Claim Name as portal which is the attribute name that is set earlier for the user.

10. Set Claim JSON Type as String

11. Enable “Add to ID token”, “Add to access token” and “Add to userinfo”

12. If the users in Red Hat Single Sign-On have the portal attribute, Red Hat 3scale will be able to create a user account automatically.

13. Click on the Credentials tab. Copy the secret for the next step.

Integrate with Red Hat SSO

• Login to 3Scale Admin Portal as administrator.
• Navigate to Account Settings -> Account Settings.

• Expand Users and click on SSO Integrations.

• Click on New SSO Integration.
• Paste the client secret, set the client as 3scale and Realm as <SSO URL>/auth/realms/<realm>. The realm is admin-portal.

• Click on Publish.

• The 1st user (in alphabetical order) in Red Hat SSO will receive an email to activate the account.

• Use the link to sign in with the password that is set for the user earlier. Click on Authenticate through Red Hat Single Sign On

• This will navigate to the Red Hat SSO Login page. Login using the username and password of the user that you created earlier.

• This account is assigned as a member by default. The administrator needs to assign the rights to this member to access the API.

• Go back to the SSO Integration Page. Click on Test Authentication Flow. It will be shown as successful.

• The administrator needs to assign the correct rights to the new users by navigating to Users -> Listing. Click on the new user. Scroll down to the Administrative section to assign the access rights. In the following screenshot, the new user is assigned as Member with no access rights configured. This is the default access right. Administrators can grant the access rights by selecting the corresponding checkboxes.

• Login to 3Scale Admin Portal as the new user. You will be able to access based on the rights that the administrator granted.

• For the remaining users in Red Hat SSO, they need to log in to 3Scale Admin Portal in order to get an email notification to activate their account in Red Hat 3Scale. They will get the error message below when attempting to log in to 3Scale Admin Portal.

• An email will be sent to this user to activate his account in Red Hat 3Scale.

• Open the link in a new window. Click on Authenticate through Red Hat Single Sign On. Similarly, use the username and password to login via the Red Hat SSO Login page.

• Your user is now able to access the 3Scale Admin Portal.

Please refer to the link below.

[1] — https://likhia.medium.com/inviting-users-and-managing-rights-in-3scale-admin-portal-ac019ab744bf

[2] — https://access.redhat.com/documentation/en-us/red_hat_3scale_api_management/2.11/html/installing_3scale/install-threescale-on-openshift-guide#deploying-threescale-using-the-operator

[3] — https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.4/html/server_installation_and_configuration_guide/operator