Background

As an enterpise practice, it’s common to apply Single sign-on (SSO) across all applications, so that user credential can be managed in a centralised and secure manner.

Based on the fact that Streampark use Apache Shiro for authetication and authorization purpose, and we are going to use Pac4j framework to achive the Single Sign-On (SSO) support feature. Pac4j is recommented by Shiro community as SSO integration solution, and it’s also applied by other Apache project, like Knox, Durid, Zeppelin, etc.

SSO login workflow

We come up three main use cases with the workflow shown below:

a) New user login when SSO is enabled SSO Integration - 图1

b) Existing user login when SSO is enabled SSO Integration - 图2

c) User login when when SSO is not enabled SSO Integration - 图3

How to enable SSO login

  • Enable the SSO from the application.yml:

    1. ...
    2. spring:
    3. profiles:
    4. active: mysql #[h2,pgsql,mysql]
    5. include: sso
    6. ...
    7. sso:
    8. # If turn to true, please provide the sso properties the application-sso.yml
    9. enable: true
  • Select preferred 3rd party login approch, such as Github or Google auth, refer to the pac4j configuration guide for more parameter setting details, and fill in the application-sso.yml config as below:

    1. pac4j:
    2. callbackUrl: http://localhost:10000/callback
    3. # Put all parameters under `properties`
    4. # Check supported sso config parameters for different authentication clients from the below link
    5. # https://github.com/pac4j/pac4j/blob/master/documentation/docs/config-module.md
    6. properties:
    7. # principalNameAttribute:
    8. # Optional, change by authentication client
    9. # Please replace and fill in your client config below when enabled SSO
    10. principalNameAttribute: email
    11. oidc:
    12. type: google
    13. id: xxx
    14. secret: xxx
    15. useNonce: true
    16. # github:
    17. # id: xxx
    18. # secret: xxx
  • Start the Streampark, and see whether it will redirect to external login page correctly and comple the authentication process:

SSO Integration - 图4

SSO Integration - 图5

SSO Integration - 图6

Note

  • After new users loggining via SSO, their account will be added into streampark automatically at the backend. But admin still need to add the user under proper group manually, otherwise new user still cannot direct to the landing page after successful login.

  • Currently we only support OAuth and OpenID Connect (OIDC) as normal supported login approch, if you need to support Saml, or CAS, please go to the streampark-console/streampark-console-service/pom.xml, change to include them in the below dependency:

    1. <!-- Include pac4j-config/core/oauth/oidc-->
    2. <dependency>
    3. <groupId>org.pac4j</groupId>
    4. <artifactId>pac4j-springboot</artifactId>
    5. <version>${pac4jVersion}</version>
    6. <exclusions>
    7. <exclusion>
    8. <groupId>commons-collections</groupId>
    9. <artifactId>commons-collections</artifactId>
    10. </exclusion>
    11. <!-- cas & opensaml is not supported-->
    12. <exclusion>
    13. <groupId>org.pac4j</groupId>
    14. <artifactId>pac4j-cas</artifactId>
    15. </exclusion>
    16. <exclusion>
    17. <groupId>org.pac4j</groupId>
    18. <artifactId>pac4j-saml-opensamlv3</artifactId>
    19. </exclusion>
    20. </exclusions>
    21. </dependency>