IBM Security Verify

Acknowledgment: Sandeep Patil (STSM, IBM Storage), Sunil Angadi (IBM Ceph Storage), Sayalee Raut (IBM Ceph Storage) and Deepak Thorat (IBM Security Verify)

Content 

Introduction

• Background

• Multi-factor authentication (MFA) needs and benefit

• IBM Ceph Storage Configuration Steps
• IBM Security Verify Configuration Steps
• Conclusion

Introduction - 

IBM Storage Ceph provides an open, scalable, and software-defined multi-protocol storage solution designed to consolidate data anywhere, and the global data platform consolidates data everywhere. Engineered to be self-healing and self-managing with no single point of failure. IBM Storage Ceph is object storage optimized for enterprise, unified for simplicity, and software-defined for flexibility.

There is a need to secure the crown jewel data with a zero trust approach and hence access to IBM Ceph Storage configuration and dashboard also needs to be protected using second-factor authentication. 

IBM Security Verify (ISV) protects users and applications both inside and outside the enterprise while enabling technical agility and operational efficiency as a cloud-native solution. Beyond single-sign-on and multi-factor authentication, Verify is a modernized, modular IDaaS that provides deep AI-powered context for risk-based authentication and adaptive access decisions, guided experiences for developer time-to-value, and comprehensive cloud Identity and Access Management (IAM) capabilities. From privacy and consent management to holistic risk detection and identity analytics, Verify centralizes workforce and consumer IAM for any hybrid cloud deployment.

In this article, we will see how IBM Storage Ceph and IBM Security Verify (ISV) can be configured to achieve the Single Sign On (SSO) and MFA for the Ceph GUI dashboard. 

The deployment requires configuration at the IBM Security Verify end followed by IBM Ceph storage.

In the below sample example, we are using IBM Security Verify and Ceph  Version 17.2.6 using SAML capabilities. (Same configuration and steps works with IBM Ceph as well)

In the below example, the Ceph admin user will log in to the Ceph dashboard which will redirect the user to ISV (due to SAML configuration). ISV has the identity to authenticate and at the same time, ISV is configured with an access policy that imposes Multi-factor authentication (MFA) for the Ceph Dashboard application. In this way, we achieve the Ceph admin user to be redirected to ISV for authentication and MFA. 

Here ISV is the Identity provider and Ceph is a service provider and configured as an application on ISV - the identity provider needs to have identity so the user needs to be present there and the account of that user needs to be there on Ceph side.  

IBM Security Verify (ISV) configuration:

We are going to use the ‘Custom application’ capability of ISV where the Ceph Dashboard will be registered as an application. Below are the steps that need to follow for ISV-Ceph SAML integration.

Step 1: Create Custom Application in ISV Admin console:

• Login to the ISV Admin console and select Application tab -- > Click Add Application  → Select Application type as Custom Application
  

• In the Application Setting → General tab provide the Application name and Company name. 
  

• Then in the Sign-On tab select/ fill in below details:

• • Sign-on method : SAML 2.0

  • Provider ID : https://<ceph_dashboard_host>:<port>/auth/saml2/metadata

  • Assertion consumer service URL (HTTP-POST)*: https://<ceph_dashboard_host>:<port>/auth/saml2

  • Target URL: https://<ceph_dashboard_host>:<port>/#/dashboard

  • Service provider SSO URL*: https://<ceph_dashboard_host>:<port>/#/dashboard

  • Single logout URL (HTTP-POST): https://<ceph_dashboard_host>:<port>/

  • Signature algorithm*: RSA-SHA256

  • SAML subject

    • NameID format*: Email

    • Name identifier: preferred_username

  • Attribute mappings

    • username: preferred_username

    • email: email

  • Access Policies:

    • Always required 2FA in all devices

       Then Save the Application.

      Below is a sample snapshot for your reference.

      Note: Some of the above settings may change based on your requirements and system details.

Then In the Entitlements tab, select Access Type to Automatic access for all users and groups and Save the Application.

           Note: The Ceph Dashboard URL is required to be reachable to IBM Security Verify either directly or via proxy. You can use IAG as a proxy component.  

           IAG document - https://www.ibm.com/docs/en/security-verify?topic=integrations-application-gateway

Step 2: Go to the ISV Ceph Custom application (Created on above step) setting tab and and navigate to the Sign-on tab (as shown in the figure) and review the right panel, copy the ISV tenant metadata URL given at Prerequisites section no. 4

“Upload the identity provider federation metadata, which you can download from the following URL ; Generally, URL will be: https://<ISV_tenant_host_name>/v1.0/saml/federations/saml20ip/metadata"

IBM Storage Ceph configuraion:

Step 3: Set up SAML SSO between ISV and Ceph using Ceph Command.

1. Login to the Ceph host using admin user where the Ceph Command line is already installed and execute the below commands:

   1.  sudo cephadm shell

   2. Run below command to set up SAML SSO

      • ceph dashboard sso setup saml2 https://<ceph_dashboard_host>:<port> https://<ISV_tenant_host_name>/v1.0/saml/federations/saml20ip/metadata username https://<ISV_tenant_host_name>/saml/sps/saml20ip/saml20
        
        

 Sample Input:

ceph dashboard sso setup saml2 https://<ceph-admin-ip>:8443 https://<ISV_Tenant_hostname>/v1.0/saml/federations/saml20ip/metadata username https://<ISV_Tenant_hostname>/saml/sps/saml20ip/saml20

Sample Output:

{"sp": {"entityId": "https://<ceph-admin-ip>:8443/auth/saml2/metadata", "assertionConsumerService": {"url": "https://<ceph-admin-ip>:8443/auth/saml2", "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"}, "attributeConsumingService": {"serviceName": "Ceph Dashboard", "serviceDescription": "Ceph Dashboard Service", "requestedAttributes": [{"name": "username", "isRequired": true}]}, "singleLogoutService": {"url": "https://<ceph-admin-ip>:8443/auth/saml2/logout", "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"}, "x509cert": "", "privateKey": "", "NameIDFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"}, "security": {"nameIdEncrypted": false, "authnRequestsSigned": false, "logoutRequestSigned": false, "logoutResponseSigned": false, "signMetadata": false, "wantMessagesSigned": false, "wantAssertionsSigned": false, "wantAssertionsEncrypted": false, "wantNameIdEncrypted": false, "metadataValidUntil": "", "wantAttributeStatement": false}, "idp": {"entityId": "https://ISV_Tenant_Hostname/saml/sps/saml20ip/saml20", "singleSignOnService": {"url": "https://ISV_Tenant_Hostname/saml/sps/saml20ip/saml20/login", "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"}, "singleLogoutService": {"url": "https://<ISV_Tenant_Hostname>/saml/sps/saml20ip/saml20/slo", "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"}, "x509cert": ""}}

c. Validate the assertionConsumerService, singleLogoutService of Service Provider (SP) in above output is same as Step 1 - Create application step

d. Run the below command and validate that SSO is enabled.

           ceph dashboard sso status

           Sample Output: SSO is "enabled" with "SAML2" protocol.

Step 4: Validate ISV-Ceph SAML SSO working as expected:

• Access the IBM Ceph Storage dashboard URL. It will redirect to ISV for authentication. After successful multi factor authentication, it will redirect to Ceph Dashboard. Ex. https://<ceph-admin-ip>:8443/#/dashboard
  

To set up SSO, we need to provide Ceph dashboard URL as input. The given input is used for setup SSO between Ceph dashboard and ISV. When a user accesses Ceph dashboard URL then Ceph identifies that SAML SSO is configured with the given URL and redirects to the ISV login page. Below document gives detail information of each input required to setup SSO..
https://docs.ceph.com/en/quincy/mgr/dashboard/#dashboard-sso-support

So far we have configured Ceph Dashboard for SSO and MFA with ISV. Now lets try to get a new user created on ISV and Ceph to exercise the SSO and MFA flow. 

1. Add a new user in Ceph with the name testuser and roles administrator using the below commands:

   Create a Password file with prefilled user password:
   Ex. echo -n "password!" > pass.txt
   
   Create new users with administrator Roles.
   Command: ceph dashboard ac-user-create testuser -i pass.txt administrator
Output: {"username": "testuser", "password": "$2b$12$Kom7Sf96CQE4xORFfIyjFeZneAxMH0B4.0HzkxBUtJmaxvWaPi1k6", "roles": ["administrator"], "name": null, "email": null, "lastUpdate": 1691576827, "enabled": true, "pwdExpirationDate": null, "pwdUpdateRequired": false}
   
    Reset the password of the user.
   Command: ceph dashboard ac-user-set-password enduser -i pass.txt
Output: {"username": "testuser", "password": "$2b$12$gZ/Mm0dFVto3/Ui1zhqjCu3keI6Er0HcaNfe5.jFuTNbTIVfk4vBa", "roles": ["administrator"], "name": null, "email": null, "lastUpdate": 1691576851, "enabled": true, "pwdExpirationDate": null, "pwdUpdateRequired": false}

2.   Add the new user in ISV using the ISV admin console with the User name testuser. 

   
   
   

   When the User testuser access Ceph URL and the user is redirected to the ISV login page after successful login and MFA, Ceph allows accessing the Dashboard with the same role and responsibility

   

   
   
   

   

   Conclusion:

   In this Blog we saw how one can enable MFA for IBM Ceph Storage Dashboard using IBM Security Verify.

   Useful links: 

   https://docs.ceph.com/en/quincy/mgr/dashboard/#dashboard-sso-support

   https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/6/html-single/dashboard_guide/index#enabling-single-sign-on-for-the-ceph-dashboard_dash