Enable single sign-on

MSR and MKE share users by default, but the applications have distinct web UIs that each require separate authentication. You can, however, configure MSR to use single sign-on with MKE.

Note

Once you configure MSR to use single sign-on, you must create an access token to interact with MSR using the CLI.

Enable at install time

Include --dtr-external-url <msr-url> in the MSR install command, where <msr-url> is the MSR fully qualified domain name (FQDN) or a load balancer, if one is in use:

docker run --rm -it \
mirantis/dtr:2.9.16 install \
--dtr-external-url <msr-url> \
--dtr-cert "$(cat cert.pem)" \
--dtr-ca "$(cat dtr_ca.pem)" \
--dtr-key "$(cat key.pem)" \
--ucp-url <mke-url> \
--ucp-username <user name> \
--ucp-ca "$(cat ucp_ca.pem)"

When you navigate to the MSR web UI, you will be redirected to the MKE log in page for authentication. After authentication, you will be directed back to the MSR web UI.

Enable after install time

To enable single sign-on using the MSR web UI:

  1. Log in to the MSR web UI.

  2. In the left-side navigation panel, navigate to System.

  3. On the General tab, scroll down to Domains & Proxies.

  4. In the Load Balancer / Public Address field, enter the MSR FQDN or load balancer IP address, if one is in use. This is the URL where users will be redirected once they are logged in.

  5. Click Save.

  6. Scroll down to Single Sign-On and slide the toggle that is next to Automatically redirect users to MKE for login.

To enable single sign-on using the CLI:

Run the following reconfigure command:

docker run --rm -it \
mirantis/dtr:2.9.16 reconfigure \
--dtr-external-url <msr-url> \
--dtr-cert "$(cat cert.pem)" \
--dtr-ca "$(cat dtr_ca.pem)" \
--dtr-key "$(cat key.pem)" \
--ucp-url <mke-url>  \
--ucp-username <user name> \
--ucp-ca "$(cat ucp_ca.pem)"