安裝及設定 Edge SSO

Private Cloud v4.18.05 專用 Edge

如要安裝及設定 Edge 單一登入 (SSO) 模組,您必須先產生兩組 TLS 金鑰和憑證。邊緣單一登入 (SSO) 模組使用傳輸層安全標準 (TLS) 來保護資訊傳輸作業的安全 作為 SAML IDP 握手流程的一部分。

建立 TLS 金鑰和憑證

下列步驟會建立自行簽署的憑證,或許適用於您的測試環境, 您通常需要為正式環境要求由 CA 簽署的憑證。

如何建立驗證及簽署金鑰和自行簽署憑證:

  1. sudo mkdir -p /opt/apigee/customer/application/apigee-sso/jwt-keys
  2. cd /opt/apigee/customer/application/apigee-sso/jwt-keys/
  3. sudo openssl genrsa -out privkey.pem 2048
  4. sudo openssl rsa -pubout -in privkey.pem -out pubkey.pem
  5. sudo chown apigee:apigee *.pem

建立金鑰和自行簽署的憑證 (不設定通關密語),以便與 SAML 通訊 IDP:

  1. sudo mkdir -p /opt/apigee/customer/application/apigee-sso/saml/
  2. cd /opt/apigee/customer/application/apigee-sso/saml/
  3. 使用通關密語產生私密金鑰: 
    sudo openssl genrsa -aes256 -out server.key 1024
  4. 移除金鑰的通關密語:
    sudo openssl rsa -in server.key -out server.key
  5. 產生 CA 的憑證簽署要求: 
    sudo openssl req -x509 -sha256 -new -key server.key -out server.csr
  6. 產生自行簽署的憑證 (有效期限為 365 天): 
    sudo openssl x509 -sha256 -days 365 -in server.csr -signkey server.key -out selfsigned.crt
     
  7. sudo chown apigee:apigee server.key
  8. sudo chown apigee:apigee selfsigned.crt

如要在 Edge SSO 模組上啟用 TLS,請依照以下步驟操作: 將「SSO_TOMCAT_PROFILE」SSO_TOMCAT_PROFILE設為「SSL_TERMINATION」SSO_TOMCAT_PROFILE或 至 SSL_PROXY,您就無法使用自行簽署的憑證。您必須產生 由 CA 提供的憑證請參閱設定 apigee-sso: HTTPS 存取權

為 HTTP 安裝並設定邊緣單一登入 (SSO) 存取權

如要安裝邊緣單一登入 (SSO) 模組「apigee-sso」,必須按照相同程序操作 您當初用來安裝 Edge 的工具apigee-sso 是以 RPM 檔案表示, 這表示執行安裝的使用者必須是超級使用者,或者是擁有完整 sudo 的使用者 資源存取權詳情請參閱 Edge 安裝總覽

將設定檔傳送給安裝程式。設定檔的格式如下:

IP1=hostname_or_ip_of_management_server
IP2=hostname_or_ip_of_UI_and_apigge_sso

## Management Server configuration.
MSIP=$IP1
MGMT_PORT=8080
# Edge sys admin username and password as set when you installed Edge.
ADMIN_EMAIL=opdk@google.com
APIGEE_ADMINPW=Secret123
# Set the protocol for the Edge management API. Default is http. 
# Set to https if you enabled TLS on the management API.
MS_SCHEME=http

## Postgres configuration.
PG_HOST=$IP1
PG_PORT=5432
# Postgres username and password as set when you installed Edge.
PG_USER=apigee
PG_PWD=postgres

# apigee-sso configuration.
SSO_PROFILE="saml"
# Externally accessible IP or DNS name of apigee-sso.
SSO_PUBLIC_URL_HOSTNAME=$IP2
# Default port is 9099. If changing, set both properties to the same value.
SSO_PUBLIC_URL_PORT=9099
SSO_TOMCAT_PORT=9099
# Set Tomcat TLS mode to DEFAULT to use HTTP access to apigee-sso.
SSO_TOMCAT_PROFILE=DEFAULT
SSO_PUBLIC_URL_SCHEME=http

# SSO admin user name. The default is ssoadmin.
SSO_ADMIN_NAME=ssoadmin
# SSO admin password using uppercase, lowercase, number, and special chars. 
SSO_ADMIN_SECRET=Secret123

# Path to signing key and secret from "Create the TLS keys and certificates" above.
SSO_JWT_SIGNING_KEY_FILEPATH=/opt/apigee/customer/application/apigee-sso/jwt-keys/privkey.pem
SSO_JWT_VERIFICATION_KEY_FILEPATH=/opt/apigee/customer/application/apigee-sso/jwt-keys/pubkey.pem

# Name of SAML IDP. For example, okta or adfs. 
SSO_SAML_IDP_NAME=okta
# Text displayed to user when they attempt to access Edge UI.
SSO_SAML_IDP_LOGIN_TEXT="Please log in to your IDP"

# The metadata URL from your IDP.
# If you have a metadata file, and not a URL, 
# see "Specifying a metadata file instead of a URL" below.
SSO_SAML_IDP_METADATA_URL=https://dev-343434.oktapreview.com/app/exkar20cl/sso/saml/metadata

# Specifies to skip TLS validation for the URL specified
# by SSO_SAML_IDP_METADATA_URL. Necessary if URL uses a self-signed cert. 
# Default value is "n".
SSO_SAML_IDPMETAURL_SKIPSSLVALIDATION=n

# SAML service provider key and cert from "Create the TLS keys and certificates" above.
SSO_SAML_SERVICE_PROVIDER_KEY=/opt/apigee/customer/application/apigee-sso/saml/server.key
SSO_SAML_SERVICE_PROVIDER_CERTIFICATE=/opt/apigee/customer/application/apigee-sso/saml/selfsigned.crt
# The passphrase used when you created the SAML cert and key. 
# The section "Create the TLS keys and certificates" above removes the passphrase, 
# but this property is available if you require a passphrase.
# SSO_SAML_SERVICE_PROVIDER_PASSWORD=samlSP123

# Must configure an SMTP server so Edge SSO can send emails to users.
SKIP_SMTP=n
SMTPHOST=smtp.example.com
SMTPUSER=smtp@example.com
# omit for no username
SMTPPASSWORD=smtppwd
# omit for no password
SMTPSSL=n
SMTPPORT=25
SMTPMAILFROM="My Company <myco@company.com>"

如要安裝 Edge SSO 模組,請按照下列步驟操作:

  1. 登入 Management Server 節點。該節點應該已經 「apigee-service」已按照下列說明安裝: 安裝 Edge apigee-setup 公用程式

    請注意,您可以在其他節點上安裝邊緣單一登入 (SSO)。不過,該節點必須可以 透過通訊埠 8080 存取管理伺服器。

  2. 安裝 apigee-sso
    /opt/apigee/apigee-setup/bin/setup.sh -p sso -f configFile

    其中 configFile 是上述設定檔。

  3. 安裝 apigee-ssoadminapi.sh 公用程式, 管理 apigee-sso 模組的管理員和電腦使用者: 
    /opt/apigee/apigee-service/bin/apigee-service apigee-ssoadminapi install
  4. 登出殼層再重新登入,以便新增 apigee-ssoadminapi.sh 延伸到路徑

指定中繼資料檔案而非網址

如果 IdP 不支援 HTTP/HTTPS 中繼資料網址,您可以使用中繼資料 XML 檔案來 設定邊緣單一登入 (SSO):

  1. 將 IDP 中的中繼資料 XML 內容複製到 Edge SSO 節點上的檔案。適用對象 例如,請將 XML 複製到: 
    /opt/apigee/customer/application/apigee-sso/saml/metadata.xml
    敬上
  2. 將檔案擁有權變更為 apigee:apigee: 
    chown apigee:apigee /opt/apigee/customer/application/apigee-sso/saml/metadata.xml
  3. SSO_SAML_IDP_METADATA_URL 的值設為絕對檔案路徑: 
    SSO_SAML_IDP_METADATA_URL=file:///opt/apigee/customer/application/apigee-sso/saml/metadata.xml

    您必須在檔案路徑前面加上「file://」,後面的絕對路徑是 根 (/)。