RTF Ops Center Integration with Google

Author: Vikas Parikh

Objective

Once MuleSoft RTF (Run Time Fabric) is installed on the underlying infrastructure (AWS/ Azure/ Customer Hosted environment), Ops Center is accessible through the admin credential available in the logs. However, the same credentials need to be shared with the entire team. This could be a security issue, hence what is required is integration with IDM (such as  Google) so that every team member can sign into the Ops Center with their specific credentials. 

For the context of this document, we would install RTF onto AWS environment.

Prerequisite

• RTF installed on the AWS as per the guide: RTF installation for AWS

Google Integration

Google Set up

1. Go to https://console.developers.google.com/
2. Select the dropdown in front of Google APIs at the left. It will open up all the projects under your domain.

3. Click ‘New Project’ at the top right
4. Provide Project Name:  apisero-rtf-ops-center

5. Click ‘Create’
6. Project will be created. Select the project and configure the OAuth consent screen as below:
   – We will allow only internal users (users belonging to hosted domain – apisero.com)

7. Click Create
8. Under OAuth Consent Screen, configure below:

Application Name: Apisero RTF Ops Center

Application logo: Mulesoft

Authorized domains: apisero.com

9. Click Save
10. Navigate to ‘Credentials’ -> Create Credentials

11. Click OAuth Client ID Key
12. Configure parameters as below:

Application Type: Web Application

Name: Apisero RTF Ops Center

Authorized redirect URIs: https://<rtf-controller-public-dns>:32009/portalapi/v1/oidc/callback

13. Click Create
14. OAuth Client should be created. Copy the client Id and secret.

Ops Center Set up

1. Login to Ops Center as per earlier Step #6
2. Navigate to user name → settings

3. Click ‘Auth Connectors’ and then ‘+ Create’
4. Apply below connector configuration

kind: oidc
version: v2
metadata:
  name: Google
spec:
  redirect_url: "https://<rtf-controller-public-dns>:32009/portalapi/v1/oidc/callback"
  client_id: "<id>.apps.googleusercontent.com"
  client_secret: "<secret>"
  issuer_url: "https://accounts.google.com"
  scope: [email]
  claims_to_roles:
    - {claim: "hd", value: "apisero.com", roles: ["@teleadmin"]}

5. Only those Google users that belong to hosted domain as apisero.com (all Apisero users) will be able to sign into the Ops Center and they will be provisioned a role of @teleadmin

6. Click ‘Save’
7. Click Log out

Login with Google

1. Go to login page of the Ops Center
2. ‘Login with Google’ Button would now appear on the sign on screen

3. Click ‘Login with Google’
4. You will be redirected to Google login screen
5. Select the Apisero login account

6. Enter the correct password and hit Next

7. Ops Center dashboard appears with Google user (Apisero domain) logged in email ID

8. Google integration concludes here
9. Optionally, you can delete the ‘default’ admin user (as part of RTF installation set up) by navigating to user → settings → Users -> admin@runtime-fabric -> Actions -> Delete

With this, you will not be able to login to Ops Center with standard user.

The only login option would be to login with Google.