search

5.5 Securing a Commercial Off-The-Shelf (COTS) application

Securing Grafana/GitLab with ZTrust using OAuth

ZTrust integrates with COTS applications using OpenID Connect (OIDC) to handle authentication and authorization. This setup enables secure login and role-based access for your applications.

hashtag
Prerequisites

Before integrating your Spring Boot application with ZTrust, ensure the following are in place:

  • ZTrust SSO – A running ZTrust instance that will act as the identity and access management provider.

  • Configured Realm and Client – A realm and client must already be created in ZTrust, with the client configured for OIDC. These settings will be used by your COTS applications to authenticate users and validate tokens.

  • Admin Access to COTS applications - Administrator access to the COTS applications is required as there are configurations needed to be done for OAuth 2.0 integration.

With these prerequisites, your application will be ready to establish a secure connection with ZTrust using OpenID Connect.

hashtag
ZTrust Endpoints (OIDC)

These will be used in application configs:

Issuer URL:     https://<Ztrust-host>/realms/<realm-name>
Auth URL:       https://<Ztrust-host>/realms/<realm-name>/protocol/openid-connect/auth
Token URL:      https://<Ztrust-host>/realms/<realm-name>/protocol/openid-connect/token
User Info URL:  https://<Ztrust-host>/realms/<realm-name>/protocol/openid-connect/userinfo
JWKS URL:       https://<Ztrust-host>/realms/<realm-name>/protocol/openid-connect/certs

hashtag
Set up ZTrust

Here, we are setting up ZTrust for Grafana. Other COTS applications like GitHub, GitLab can be setup in a similar way.

  1. Log in to ZTrust Admin Console

    Fig 5.5.a: Master realm welcome page

  2. Click on Manage Realms in the sidebar to view the list of realms available in your ZTrust.

    Fig 5.5.b: List of avalible realms under manage realms

  3. From the list of realms, select the realm where you want to configure COTS applications.

    Fig 5.5.c: Welcome to Demo realm

  4. From the left sidebar, navigate to the Clients section.

    Fig 5.5.d: Navigating to clients section in side bar

  5. You will see a list of clients (applications). Choose/ Create the client for which you want to secure COTS Application.

    Fig 5.5.e: List of available clients

  6. After selecting your client, you will taken to its settings page. Let's check out grafana-client that will be used to integrate Grafana with ZTrust.

    Fig 5.5.f: Client settings page

  7. Enter your application’s redirect URL in the Valid Redirect URIs field.

    Fig 5.5.g: In client setting tab general settings fields

  8. Then under Capability config turn on Client authentication and save.

    Fig 5.5.h: In client setting tab capability config options

  9. You will now see a new tab enabled, called Credentials.

    Fig 5.5.i: Client settings tab

  10. Navigate to the Credentials tab, where you can view and copy the Client Secret.

    Fig 5.5.j: Navigating to Credentials tab

  11. With the ZTrust configuration complete, we can now move on to the Grafana side of the setup.

hashtag
Grafana Setup

Edit the Grafana config file (e.g., /etc/grafana/grafana.ini):

Then restart Grafana:

hashtag
GitLab setup

hashtag
Step 1: Register GitLab as Client in ZTrust

Setup ZTrust in a similar way to Grafana with the below details:

  • Client ID: gitlab-client

  • Redirect URI: https://gitlab.example.com/users/auth/openid_connect/callback

Adjust domain as per your GitLab instance.

hashtag
Step 2: Configure GitLab

Edit GitLab config (/etc/gitlab/gitlab.rb):

Then reconfigure GitLab:

Previous5.4 Securing a Python ApplicationNext5.6 Securing a Next.js Application

Last updated