Migration from the old CERN SSO to Keycloak

Create an Application

• Go to the Application Portal and create a new Application for your Sentry instance.
• Click Add an Application and fill in the form with information about your Sentry instance and click Submit

• The application has been created. Now find it on the list of your applications and click the edit button

• Now we need to create a new SSO registration. Select the SSO Registration tab and click the add button in the bottom right corner

• A modal will be displayed. Fill it in with information about your Sentry instance. Add your sentry URL to the list of Redirect URIs (don't forget to use your sentry's instance URL) Also don't forget to select OpenID Connect (OIDC) as the authentication protocol. After you submit the form a modal with Client ID and Client Secret will be presented. Note it down since it will be used later on

Note

The next steps are optional. Perform them only if you want to limit the access to your Sentry instance

• Select the Roles tab and click the Edit role details button. Set the Minimum Level Of Assurance to the desired value (more information can be found here)

Warning

In case you want to restrict the access to a specific group you need to uncheck the This role applies to all authenticated users

• Now if you want to allow only members of a specific group to access the app you need to select the Roles tab and click the users icon on the far right side of the row

• Now you will be able to assign a group to the role you are editing. Use the Search by group identifier search box to search for the group and add it to the Linked Groups

Change the ConfigMap in your Sentry OpenShift project

• Go to OpenShift and access your sentry project
• Go to Resources -> Config Maps and click sentry-environment
• Click Actions (the top right corner) and then click Edit
• Scroll down and click Add item twice (we will need to create two new entries)
• Create the following entries (OIDC_CLIENT_ID and OIDC_CLIENT_SECRET) with the data noted down while creating the Application in the previous steps

• Now we need to update the DeploymentConfigs

Warning

The following steps will update only cron DeploymentConfig. But keep in mind you need to perform the same steps for web and worker DeploymentConfigs

• Click Overview and then edit the cron DeploymentConfig by clicking Edit in the dropdown menu

• Change the Image Stream Tag to 9.1.2-keycloak-sso

• Add entries to the Environment Variables using Add Value from ConfigMap or Secret (once again OIDC_CLIENT_ID and OIDC_CLIENT_SECRET)

• Once you are done with this you can click Save and Openshift will redeploy the necessary pods. (Remember to update the worker, web DeploymentConfigs as well)

Configure your Sentry instance to use new SSO

• Log into your Sentry instance as the admin, manager or the owner of the Sentry organization
• Go to the auth settings of your Sentry organization Settings -> Auth
• Disable the old CERN authentication (this will send emails to existing users asking them to set a password on their account; this is not necessary since we will set up Keycloak SSO in a few minutes)

• Now we need to enable CERN Keycloak SSO
• Click Configure next to the CERN Keycloak (you will be redirected to the configuration form)

• If everything looks ok you can click Save Settings

Note

Once users, who used old SSO system, try to log in using Keycloak, their identities will be linked to the new SSO system provided that they use the same e-mail address.