Background
As an enterpise practice, it’s common to apply Single sign-on (SSO) across all applications, so that user credential can be managed in a centralised and secure manner.
Based on the fact that Streampark use Apache Shiro for authetication and authorization purpose, and we are going to use Pac4j framework to achive the Single Sign-On (SSO) support feature. Pac4j is recommented by Shiro community as SSO integration solution, and it’s also applied by other Apache project, like Knox, Durid, Zeppelin, etc.
SSO login workflow
We come up three main use cases with the workflow shown below:
a) New user login when SSO is enabled
b) Existing user login when SSO is enabled
c) User login when when SSO is not enabled
How to enable SSO login
Enable the SSO from the
application.yml
:...
spring:
profiles:
active: mysql #[h2,pgsql,mysql]
include: sso
...
sso:
# If turn to true, please provide the sso properties the application-sso.yml
enable: true
Select preferred 3rd party login approch, such as Github or Google auth, refer to the pac4j configuration guide for more parameter setting details, and fill in the
application-sso.yml
config as below:pac4j:
callbackUrl: http://localhost:10000/callback
# Put all parameters under `properties`
# Check supported sso config parameters for different authentication clients from the below link
# https://github.com/pac4j/pac4j/blob/master/documentation/docs/config-module.md
properties:
# principalNameAttribute:
# Optional, change by authentication client
# Please replace and fill in your client config below when enabled SSO
principalNameAttribute: email
oidc:
type: google
id: xxx
secret: xxx
useNonce: true
# github:
# id: xxx
# secret: xxx
Start the Streampark, and see whether it will redirect to external login page correctly and comple the authentication process:
Note
After new users loggining via SSO, their account will be added into streampark automatically at the backend. But admin still need to add the user under proper group manually, otherwise new user still cannot direct to the landing page after successful login.
Currently we only support
OAuth
andOpenID Connect (OIDC)
as normal supported login approch, if you need to supportSaml
, orCAS
, please go to thestreampark-console/streampark-console-service/pom.xml
, change to include them in the below dependency:<!-- Include pac4j-config/core/oauth/oidc-->
<dependency>
<groupId>org.pac4j</groupId>
<artifactId>pac4j-springboot</artifactId>
<version>${pac4jVersion}</version>
<exclusions>
<exclusion>
<groupId>commons-collections</groupId>
<artifactId>commons-collections</artifactId>
</exclusion>
<!-- cas & opensaml is not supported-->
<exclusion>
<groupId>org.pac4j</groupId>
<artifactId>pac4j-cas</artifactId>
</exclusion>
<exclusion>
<groupId>org.pac4j</groupId>
<artifactId>pac4j-saml-opensamlv3</artifactId>
</exclusion>
</exclusions>
</dependency>