User Provider

The container is secured by default. Users and services must authenticate before they are allowed to use the container. Containers built from within Digital Enterprise Suite (DES) are automatically configured to use that DES instance as its authorization server. No additional configuration is required aside from network connectivity between the deployed containers and the DES instance.

Important security aspects that should be taken into account when building and running digital distributed containers:

Containers are built for in a given execution environment e.g. prod
Security restrictions from the execution environment are included in the container
Access rights are enforced based on execution environment settings

Users that have access to DES will also have access to container’s services as long as they are granted roles within the environment the container was built for.

Security of the Digital Distributed Containers is based on the OpenID Connect standard to allow easy configuration with external OpenID Connect providers as an alternative to the Digital Enterprise Suite.

When using external OpenID Connect provider not all security features are available. Information about the groups that a user is a member of are not available, execution environment access is not synced at runtime thus might result in users not being granted to perform certain operations.

Disabling Security

Security can be disabled to be able to run containers in an open mode without requiring authentication. This could be required if there is no connectivity between the container and the DES or if you want to implement an external authorization mechanism (api gateway or otherwise).

Using the following helm variable on installation or upgrade disables the security:

--set ddc.SSO_METHOD=none

Using an external OpenID Connect provider

To be able to use external OpenID Connect provider, the following environment variables must be provided when starting the container

Using the following helm variable on installation or upgrade use an external OpenID Connect provider:

--set ddc.OIDC_ISSUER=https://...
--set ddc.OIDC_CLIENT_ID=XXX-XXX-XXX
--set ddc.OIDC_CLIENT_SECRET=XXX-XXX-XXX

Complete list of configuration variables and their description

Configurations Variable	Description
OIDC_ISSUER	URL to the provider that acts as issuer and also the starting point of discovery of OpenID Connect configuration.
OIDC_CLIENT_ID	Client id of the application created in the Open ID Connect provider.
OIDC_CLIENT_SECRET	Corresponding client secret created in the Open ID Connect provider. Only required when the Open ID Connect provider does not allow to use PKCE.

Configurations Variable

Description

OIDC_ISSUER

URL to the provider that acts as issuer and also the starting point of discovery of OpenID Connect configuration.

OIDC_CLIENT_ID

Client id of the application created in the Open ID Connect provider.

OIDC_CLIENT_SECRET

Corresponding client secret created in the Open ID Connect provider. Only required when the Open ID Connect provider does not allow to use PKCE.

If group-based access is needed, the OpenID Connect provider must include a groups claim in the ID token, listing the user’s group names. This is configured in the client application’s settings on the identity provider.