4 Configuring CNC Console IAM

This section provides details on how to configure the CNC Console IAM.

Role Based Acess Control in CNC Console IAM

Role-Based Access Control (RBAC) is one of the main methods for advanced access control.

It enables you to restrict network access to authorized users based on their assigned roles.

Role

A Role is a collection of permissions that you can apply to users. Roles are defined according to the authority and responsibility of the users within the organization. Using roles makes it easier to add, remove, and update permissions to the users.

Composite Role

A Composite Role is a collection of one or more additional roles grouped together.

Types of Roles in CNC Console

Role Based Access Control (RBAC) is controlled by Identity and Access Management (IAM) functionality provided by CNCC IAM.

The following roles are predefined in the CNC Console IAM:

• ADMIN Level

  Role: ADMIN

  The user assigned with this role can access all the NF and CS resources within the CNC Console. The admin user can perform create, read, update, and delete operations. For example, the admin user can read, add, update, or delete MOS configurations for any NF and CS supported CNC Console application. The admin user can also be assigned to the Composite roles which contain all NF and CS level roles.
• NF Level

The user assigned with this role can perform read and write operations for the assigned NFs. NF level roles are classified into:

<NF>_READ: With this permission, the assigned user can perform the read operation for NFs.

For example, If user has POLICY_READ role, then the user can only read configurations of any MOs configurations within the Policy and cannot write or update or delete any record.

<NF>_WRITE: With this permission, the assigned user can perform create, read, update, and delete operations for NFs. For example, if user has POLICY_WRITE then the user can read or write or update or delete any MOs configurations within the NF.

• CS Level

  Role: CS_WRITE

  The user assigned with this role has access to all the common services and can perform CRUD operations.

  The user can perform create, read, update, and delete operations. The user can read, add, update, or delete MOS configurations for all common services such as Grafana, Kibana, Jaeger, Prometheus, Alertmanager supported by CNC Console application. For example, if user has CS_WRITE then, the user can read or write or update or delete any MOs configurations in common services.

Accessing Roles in CNC Console Applications

1. Log into CNC Console IAM using Admin credentials. The following screen appears.

   Figure 4-1 Realm Settings

   
2. To access or view the available roles, click Roles on the left pane. The defined roles are available on the right pane.

Figure 4-2 Roles

Note:

For the details about Multi-Cluster Roles, see Multi-Cluster Roles under CNC Console IAM Post Installation Steps section in Oracle Communication Cloud Native Core Console Installation and Upgrade Guide.

Creating or Updating Admin Password in CNC Console IAM

This section describes about creating or updating the admin password in CNC Console IAM.

Perform the following steps to create or update the admin password:

1. Select the Master Realm (Only applicable for Admin Users).

   Figure 4-3 Master Realm

   
2. Click Users on the left pane and click View all users on the right pane.

   Figure 4-4 view all users

   
   The following screen appears.
3. Click Edit under Actions to update the credentials.

   Figure 4-5 Edit User

   
   The following screen appears.
4. Under Credentials tab, set Temporary to OFF and update the Password.

   Figure 4-6 Credentials

   

Creating or Updating User Password in CNC Console IAM

This section describes about creating or updating the user password in CNC Console IAM.

Perform the following steps to create or update the user password:

1. On the left pane, click Realm Settings. The following screen appears.

   Figure 4-7 Realm Settings

   
2. Click Users on the left pane and click view all users on the right pane.

   Figure 4-8 view all users

   
   The following screen appears.
3. Click Edit under Actions to update the credentials.

   Figure 4-9 Users

   
   The following screen appears.
4. Under Credentials tab, set Temporary to OFF and update the Password.

   Figure 4-10 Credentials

   

Configuring the CNC Console Redirection URL

After a successful deployment of CNC Console IAM, the administrator must perform the following steps to configure the CNC Console redirection URL:

1. Log into CNC Console IAM using admin credentials provided during installation.
2. On the left pane, select Clients and on the right pane select cncc.

   Figure 4-11 Clients Screen

   

3. Enter CNCC Core Ingress URI in the Root URIs field and Save.

   <scheme>://<cncc-mcore-ingress IP/FQDN>:<cncc-core-ingress Port>
    

   Note:

   Redirection url is pre-populated, only root url needs to be configured as part of Post-Installation procedure.

   Figure 4-12 Redirection url

   

Users in CNC Console IAM

This section includes:

• Creating the users
• Viewing the users
• Assigning the roles to the users

Note:

For the details about Setting or updating the admin password refer Creating or Updating Admin Password in CNC Console IAM

Note:

For the details about Setting or updating the user password refer Creating or Updating User Password in CNC Console IAM

Creating the Users

1. Click Realm Settings under Cncc.

   

2. Click Users under Manage on the left pane and click Add user on the right pane.

   

3. Add user screen appears. Add the user details and click Save.

   

4. The user has been created and the user details screen appears.

   

5. For setting the password for the user, click Users under Manage on the left pane and click the Credentials tab on the right pane. Set the password for the user.

   

Note:

Setting the Temporary flag ON prompts the user change the password when logging in to the CNC Console for the first time.

Viewing the Users

1. Click Realm settings.

   

2. Select Users under Manage in the left pane and select View all users in the right pane.

   

The list of users and their details appears in the right pane.

Assigning Roles to the User

1. Select Users under Manage in the left pane and click View all users in the right pane. Choose any user. Select Role Mappings tab in the right pane of the user screen and select the roles from Available roles and click Add selected.

   

The selected roles will be assigned to the user.

Integrating SAML SSO with CNC Console IAM

Overview

Security Assertion Markup Language (SAML) is an open standard that allows identity providers (IdP) to pass authorization credentials to service providers (SP). The identity provider authenticates the user and returns the assertion information about the authenticated user and the authentication event to the application. Using SSO, if the user tries to access any other application that uses the same identity provider for user authentication, the user need not login again. This is the principle of SSO (Single Sign On).

Note:

CNCC supports SAML 2.0.

Configuring SAML Identity Provider in CNCC IAM

1. To configure SAML identity provider (IdP) in CNCC IAM, log in to CNCC IAM Console using admin credentials provided during installation of CNCC IAM .

   http://<cncc-iam-ingress-extrenal-ip>:<cncc-iam-ingress-service-port> 
   Example: http://cncc-iam-ingress-gateway.cncc.svc.cluster.local:30085/

   Figure 4-13 Login screen

   

2. Click Cncc realm and click the Identity Provider tab on the left pane. Identity Providers screen appears on the right pane.

   Figure 4-14 Identity Provider Screen

   
3. Choose the SAML v2.0 from the Add provider drop-down list. The Add Identity Provider screen appears.

   Figure 4-15 Add Identity Provider screen

   

   Note:

   • Give an appropriate name for the field Display Name.
   • At Import External IDP Config, upload the 'idp-metadata.xml' file that is exported from SAML client in the IdP.

   Click Import and Save. The other required fields will be filled in automatically.

   Perform the following procedure to configure the IDP manually, if you are facing difficulty in importing the metadata file from the IDP Client:

   1. Select SAML v2.0 in add Provider selection box
   2. Set the value of Single Sign-On Service URL to the URL of the preferred IDP.
   3. Example: <IP/FQDN>:<PORT>/auth/realms/master/protocol/saml (URI for their preferred IDP where SAML AuthnRequest will be sent).
   4. Set the value of Single Logout Service URL.

      Example: <IP/FQDN>:<PORT>/auth/realms/master/protocol/saml (URI for their preferred IDP where Logout requests must be sent).

   5. If the IDP supports HTTP POSTbinding methods, enable HTTP-POST Binding Response, HTTP-POST Binding Logout and HTTP-POST Binding for AuthnRequest flags. ( By default, HTTP-Redirect will be used)
   6. If the IDP is sending signed Assertions, set Want Assertions Signed to ON.
   7. Set Validate Signature to ON.
   8. Provide value for Validating X509 Certificates (If you are using Keycloak as an IDP, use the certificate from master realm -> Realm Settings -> Keys).

      

   9. Click Save.

   IDP is now configured manually.

4. To create custom 'First Login Flow', click Authentication tab on the left pane. The Authentication screen appears.

   

5. Click New on the right pane. Create Top Level Form screen appears.

   

   Enter the appropriate alias and click Save.

6. The Authentication screen with the newly created custom flow selected in the drop-down list appears. Click Add Execution on the right pane .

   

7. Create Authenticator Execution screen appears.

   

   Select Create User If Unique from the Provider drop-down list. Click Save.

8. The Authentication screen with the newly created custom flow selected in the drop-down. Under Requirement section, select Alternative.

   

9. Click Identity Provider in the left pane. Select the custom flow from First Login Flow drop-down list.

   

The above screen appears. Now the SAML Idp roles must be mapped with CNC Console IAM API roles.

Note:

CNCC IAM(SP) Configuration in IDP

In a SAML based SSO Implementation, the IDP needs to send SAML assertions towards a Service Provider (CNCC IAM in this case) endpoint.

Use the following CNCC endpoint in the IDP :

http://<IP/FQDN>:<PORT>/cncc/auth/realms/cncc/broker/saml/endpoint

Example:

http://cncc-iam-ingress-gateway.cncc.svc.cluster.local:30085/cncc/auth/realms/cncc/broker/saml/endpoint

Mapping SAML IdP roles with CNC Console IAM API roles

1. After saving SAML IdP configurations in CNCC IAM, select Identity Providers on the left pane and clock Mappers tab on the right pane. Click Create.

   

2. Add Identity Provider Mapper Screen appears.

   

   • Give an appropriate name for the field Identity Provider Mapper.
   • Select 'SAML Attribute to Role' from Mapper Type drop-down.
   • Enter the Attribute Value as the one of the roles added in SAML IdP. Example: 'NRF', 'SCP', etc.
   • Click Select Role to select the API roles to be enabled for this mapping.
   • Click Save.

   

You can create any number of mapping as per the requirements.

Accessing CNCC Core Application

1. To log in to CNCC Core, browse to the application using hostname and port. The user will be redirected to CNCC IAM (broker).

   http://<cncc-core-ingress-extrenal-ip>:<cncc-iam-ingress-service-port> 
   Example: http://cncc-core-ingress-gateway.cncc.svc.cluster.local:30075/  

   

2. Click Single Sign On to authenticate using SAML SSO. The user is redirected to SAML IdP log in. Enter user details to access CNCC Core application.

Integrating CNC Console LDAP Server with CNC Console IAM

Overview

The CNC Console IAM can be used as an integration platform to connect it into existing LDAP and Active Directory servers.

User Federation in CNC Console-IAM let the user to sync users and groups from LDAP and Active Directory servers and assign roles respectively.

CNCC IAM provides an option to configure a secured connection URL to your LDAP store.

example: `ldaps://myhost.com:636'

CNCC IAM uses SSL for communication with the LDAP server. The truststore must be properly configured on the CNCC IAM server side, otherwise CNCC IAM cannot trust the SSL connection to LDAP.

Sample LDAP ldif File

dn: dc=oracle,dc=org
objectclass: top
objectclass: domain
objectclass: extensibleObject
dc: oracle
 
dn: ou=groups,dc=oracle,dc=org
objectclass: top
objectclass: organizationalUnit
ou: groups
 
dn: ou=people,dc=oracle,dc=org
objectclass: top
objectclass: organizationalUnit
ou: people
 
dn: uid=ben,ou=people,dc=oracle,dc=org
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: Ben Alex
sn: Alex
uid: ben
userPassword: benspass
 
dn: uid=bob,ou=people,dc=oracle,dc=org
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: Bob Hamilton
sn: Hamilton
uid: bob
userPassword: bobspass
 
dn: uid=joe,ou=people,dc=oracle,dc=org
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: Joe Smeth
sn: Smeth
uid: joe
userPassword: joespass
 
dn: cn=admin,ou=groups,dc=oracle,dc=org
objectclass: top
objectclass: groupOfUniqueNames
cn: admin
uniqueMember: uid=ben,ou=people,dc=oracle,dc=org
ou: admins
 
dn: cn=scp,ou=groups,dc=oracle,dc=org
objectclass: top
objectclass: groupOfUniqueNames
cn: scp
uniqueMember: uid=ben,ou=people,dc=oracle,dc=org
uniqueMember: uid=joe,ou=people,dc=oracle,dc=org
ou: scpusers
 
dn: cn=nrf,ou=groups,dc=oracle,dc=org
objectclass: top
objectclass: groupOfUniqueNames
cn: nrf
uniqueMember: uid=ben,ou=people,dc=oracle,dc=org
uniqueMember: uid=bob,ou=people,dc=oracle,dc=org
ou: nrfusers

Configuring User Federation with CNC Console IAM

This section provides information about configuring user federation with CNC Console IAM (LDAP Server integration).

1. Login to CNCC IAM console http://<cncc-iam-ingress-ip>:<cncc-iam-ingress-port> using admin credentials provided during installation of CNCC IAM.

   Figure 4-16 Login Screen

   

2. Click Realm Settings and click Add realm under Cncc. Click the User Federationon the left pane. The User Federation screen appears in the right pane.

   Figure 4-17 User Federation Screen

   

3. From the drop-down list in the User federation screen select ldap, the Add user federation provider screen appears.

   Figure 4-18 Add user federation provider screen

   
4. Enter the values for the following fields:
   • Console Display Name: Enter the display name.
   • Edit Mode: Select READ_ONLY.
   • Vendor: Enter the LDAP server provider name for the company.

   Note:

   This usually fill the defaults for many of the fields. But in case user have a different setup than the defaults, the correct values must be provided. Current set up is Spring embedded LDAP, so select the last option "Other" from the drop-down list.

   Figure 4-19 User Federation

   
   • In most case the UUID LDAP attribute value set as "entryUUID". If you do not have a suitable value, use an alternate unique identifier.
   • The default setting for Import Users is 'ON'. Change it to 'OFF' to disable user sync.
   • Provide company LDAP server details. The same as provided for ldap-ldif file, that is, the connection url (hostname prefixed with ldap:// or when LDAP Secure connection enabled (LDAPS) hostname prefix should be ldaps://), the port.
   • If the LDAP is secured then select 'simple' from the Bind Type drop-down and provide the admin bind username and password else select Bind Type as "none". Sample data for the field Bind DN "cn=admin,dc=oracle,dc=org".
   • Click "Test Connection" and "Test Authentication".
   • Set Cache policy as "NO_CACHE".
5. After filling the required fields, the screen appears as below. Click Save.

   Figure 4-20 User Federation

   

6. New buttons (Synchronize changed users, Synchronize all users, Remove imported, Unlink users) appears next to the Save and Cancel.

   Figure 4-21 User Federation

   

7. To import users to CNCC IAM, Click Synchronize all users. If the synchronization is successful, the success message appears. If the synchronization fails, see the troubleshooting section in Oracle Communication Cloud Native Core Console Installation and Upgrade Guide and also look at cncc-iam logs in debug mode. See CNC Console Logs for further details.

   Figure 4-22 User Federation

   

8. The user can view the imported users by clicking Users under Manage in the left pane and click View all users in the right pane. The list of users and details appears.

   Figure 4-23 User Screen

   

9. The user can remove the imported users by clicking the Remove imported and set Import Users to OFF to ensure that the users are not imported to CNCC IAM on your subsequent logins.

   Figure 4-24 User Screen

   

Note:

The steps 8 and 9 are optional.

Grouping the LDAP Mapper and Assigning the Roles

When an LDAP Federation provider is created, CNC Console-IAM provides a set of built-in mappers for this provider. User can change the set and create a new mapper or update and delete existing ones.

Group Mapper

The Group Mapper allows you to configure group mappings from LDAP into cncc-iam group mappings. Group mapper can be used to map LDAP groups from a particular branch of an LDAP tree into groups in cncc-iam. It also propagates user-group mappings from LDAP into user-group mappings in cncc-iam.

Perform the following procedure to add the group mapper and assign the roles:

1. Click Configure and click User Federation. Click ldap and select the Mappers tab, and click Create.

   

2. The Add User federation mapper page appears. Give an appropriate name for the field Name. Select 'group-ldap-mapper' as Mapper Type drop down menu. Click Save.

   

   The following screen appears.

   

   Note:

   When selected, default values will be set by cncc-iam. But you need change some values based on your ldap records.
3. Click Save. New buttons appears next to the Save and Cancel. They are Synchronize LDAP Groups to Keyclaok and Synchronize Keyclaok Groups to LDAP.

   

4. Click Synchronize LDAP Groups to Keyclaok. The success message appears with the number of groups imported and so on.

   

   Note:

   If this step fails then you might need to check to the trouble shooting section and look at cncc-iam logs in debug mode. See the Oracle Communication Cloud Native Core ConsoleTroubleshooting Guide and see CNC Console Logs for further details.
5. Select the Groups in the left pane and click the View all groups in the right pane.

   

6. Click any group and click Edit. The following tabs appear: Settings, Attributes, Role Mappings, and Members.

   

   • Select Role Mapping tab to see a list of roles that are pre-defined in cncc-iam.
   • Select one or more roles from Available Roles and assign it to the group. For example, If group "admin" is assigned with role "ADMIN", it means that any user which belongs to the admin group will be automatically assigned the admin role which allows him to access all the NF resource of CNC console that it supports.
   • Once done you can test authentication and authorization by logging into CNC Console GUI.

   Note:

   • When the password of user is updated from CNCC-IAM and sent to LDAP, it is always sent in plain-text. This is different from updating the password to built-in CNCC-IAM database, when the hashing and salting is applied to the password before it is sent to DB. In the case of LDAP, the CNCC-IAM relies on the LDAP server to provide hashing and salting of passwords.
   • Most of LDAP servers (Microsoft Active Directory, RHDS, FreeIPA) provide this by default. Some others (OpenLDAP, ApacheDS) may store the passwords in plain text by default and user need to explicitly enable password hashing for them.