.

.

Wallaroo User Management

How to manage new and existing users in your Wallaroo environment.

The following shows Wallaroo users in adding other participants to their Wallaroo environment. Some user management tasks are allocated to the Workspace Management, such as adding or removing users from a specific workspace.

This guide is split into two segments: Wallaroo Community Edition and Wallaroo Enterprise Edition. The critical differences in user management between the Wallaroo Community and Wallaroo Enterprise edition are:

  • Wallaroo Community allows up to 5 users to be active in a single Wallaroo instance, while Enterprise has no such restrictions.
  • Wallaroo Community users are administrated locally while Wallaroo Enterprise allows for other administrative services including GitHub, Google Cloud Platform, and other services.

1 - Wallaroo Community User Management

How to manage new and existing users in your Wallaroo Community environment.

Wallaroo Community User Management

How to Invite a User to a Wallaroo Instance

  • Note: Up to two users can work together in the same Wallaroo Community instance, while the Wallaroo Enterprise version has no user restrictions.

To invite another user to your Wallaroo instance:

  1. Login to your Wallaroo instance.
  2. Select Invite Users from the upper right hand corner of the Wallaroo Dashboard.
  3. Under the Invite Users module, enter the email address for each user to invite.
  4. When finished, select Send Invitations.

Each user will be sent a link to login to your Wallaroo instance. See the General Guide for more information on the initial login process.

2 - Wallaroo Enterprise User Management

How to manage new and existing users in your Wallaroo Enterprise environment.

Wallaroo Enterprise User Management

Wallaroo uses Keycloak for user authentication, authorization, and management. Enterprise customers can manage their users in Keycloak through its web-based UI, or programmatically through Keycloak’s REST API.

In enterprise deployments customers store their Wallaroo user accounts either directly in Keycloak or utilize its User Federation feature. Integration with external/public Identity Providers (such as popular social networks) is not expected at this time.

See the Keycloak User Guide for more details: https://www.keycloak.org/documentation.html

The Keycloak instance deployed in the wallaroo Kubernetes namespace comes pre-configured with a single administrator user in the Master realm. All users must be managed within that realm.

Accessing The Wallaroo Keycloak Dashboard

Enterprise customers may access their Wallaroo Keycloak dashboard by navigating to https://<prefix>.keycloak.<suffix>, depending on their choice domain prefix and suffix supplied during installation.

Obtaining Administrator Credentials

The standard Wallaroo installation creates the user admin by default and assigns them a randomly generated password. The admin user credentials are obtained which may be obtained directly from Kubernetes with the following commands, assuming the Wallaroo instance namespace is wallaroo.

Username

    kubectl -n wallaroo \
    get secret keycloak-admin-secret \
    -o go-template='{{.data.KEYCLOAK_ADMIN_USER | base64decode }}{{"\n"}}'
Password

    kubectl -n wallaroo \
    get secret keycloak-admin-secret \
    -o go-template='{{.data.KEYCLOAK_ADMIN_PASSWORD | base64decode }}{{"\n"}}'

Accessing the User Management Panel

In the Keycloak Administration Console, click Manage -> Users in the left-hand side menu. Click the View all users button to see existing users.

Adding Users

To add a user through the Keycloak interface:

  1. Click the Add user button in the top-right corner.

  2. Enter the following:

    Wallaroo Enterprise New User
    1. A unique username and email address.
    2. Ensure that the Email Verified checkbox is checked - Wallaroo does not perform email verification.
    3. Under Required User Actions, set Update Password so the user will update their password the next time they log in.

  3. Click Save.

  4. Once saved, select Credentials tab, then the Set Password section, enter the new user’s desired initial password in the Password and Password Confirmation fields.

    Wallaroo Enterprise New User

  5. Click Set Password. Confirm the action when prompted. This will force the user to set their own password when they log in to Wallaroo.

  6. Log out of Keycloak as the Admin user before resuming other Wallaroo actions.

Managing Users Programmatically

It is possible to manage users through Keycloak’s Admin REST API. See https://www.keycloak.org/documentation.html for details.

Wallaroo simplifies this task with a small Python script, which can be utilized in a Jupyter notebook running in the wallaroo namespace through the following process:

  1. Create a new Python file: In your JupyterHub workspace, create a new Python file named keycloak.py and populate it with the following:

  2. Import the following libraries:

    import json
import requests

class Keycloak:
    def __init__(self, host, port, admin_username, admin_password):
        self.host = host
        self.port = port
        self.admin_username = admin_username
        self.admin_password = admin_password

    def get_token(self):
        """Using a hardcoded admin password, obtain a session token from keycloak"""
        url = f"http://{self.host}:{self.port}/auth/realms/master/protocol/openid-connect/token"
        headers = {
            "Content-Type": "application/x-www-form-urlencoded",
            "Accept": "application/json",
        }
        data = {
            "username": self.admin_username,
            "password": self.admin_password,
            "grant_type": "password",
            "client_id": "admin-cli",
        }
        resp = requests.post(url, headers=headers, data=data)
        assert resp.status_code == 200
        token = resp.json()["access_token"]
        assert len(token) > 800
        self.token = token

    def list_users(self):
        url = f"http://{self.host}:{self.port}/auth/admin/realms/master/users"
        headers = {
            "Content-Type": "application/json",
            "Authorization": f"bearer {self.token}",
        }
        data={}
        resp = requests.get(url, headers=headers, data=data)
        return resp

    def create_user(self, username, password, email):
        """Create a keycloak test user. Returns ID."""
        url = f"http://{self.host}:{self.port}/auth/admin/realms/master/users"
        headers = {
            "Content-Type": "application/json",
            "Authorization": f"bearer {self.token}",
        }
        payload = {
            "username": username,
            "enabled": "true",
            "emailVerified": "true",
            "email": email,
            "credentials": [
                {
                    "type": "password",
                    "value": password,
                    "temporary": "false",
                }
            ],
        }
        resp = requests.post(url, headers=headers, data=json.dumps(payload))
        assert resp.status_code == 201
        return resp.headers["Location"].split("/")[-1]

    def delete_user(self, userid):
        """Remove a keycloak user"""
        url = f"http://{self.host}:{self.port}/auth/admin/realms/master/users/{userid}"
        headers = {
            "Content-Type": "application/json",
            "Authorization": f"bearer {self.token}",
        }
        resp = requests.delete(url, headers=headers)

  3. Create a Keycloak admin client: In JupyterHub environment, create a new Jupyter notebook in the same directory as your keycloak.py file.

    Import the new Python module and instantiate your Keycloak client, supplying your administrator user credentials (3rd and 4th arguments).

    For more information on retrieving your KeyClock username and password, see Obtaining Administrator Credentials.

    from keycloak import Keycloak
kc = Keycloak('keycloak', 8080, 'admin', 'admin')

  4. Obtain an authentication token: Before invoking any methods, you must obtain a fresh authentication token by calling get_token() method. This will obtain a new token, which is valid for 60 seconds, and cache it in the client.

    kc.get_token()

Listing existing users

To list existing users, use the Keycloak list_users method:

resp = kc.list_users()
resp.json()

Creating new users

To create a new user, use the Keycloak create_user() and supply their unique username, password, as well as a unique email address:

kc.create_user('testuser1', 'abc123', 'testuser1@example.com')

If successful, the return value will be the new user’s unique identifier generated by Keycloak.

3 - Wallaroo Enterprise User Management Troubleshooting

How to manage correct common user issues.

When a new user logs in for the first time, they get an error when uploading a model or issues when they attempt to log in. How do I correct that?

When a new registered user attempts to upload a model, they may see the following error:

TransportQueryError: 
{'extensions': 
    {'path': 
        '$.selectionSet.insert_workspace_one.args.object[0]', 'code': 'not-supported'
    }, 
    'message': 
        'cannot proceed to insert array relations since insert to table "workspace" affects zero rows'

Or if they log into the Wallaroo Dashboard, they may see a Page not found error.

This is caused when a user has been registered without an appropriate email address. See the user guides here on inviting a user, or the Wallaroo Enterprise User Management on how to log into the Keycloak service and update users. Verify that the username and email address are both the same, and they are valid confirmed email addresses for the user.

4 - Wallaroo Authentication Configuration Guides

Enable SSO authentication to Wallaroo.

Wallaroo supports Single Sign-On (SSO) authentication through multiple providers. The following guides demonstrate how to enable SSO for different services.

4.1 - Wallaroo SSO for Amazon Web Services

Enable SSO authentication to Wallaroo from AWS

Organizations can use Amazon Web Services (AWS) as an identity provider for single sign-on (SSO) logins for users with Wallaroo Enterprise.

To enable AWS as an authentication provider to a Wallaroo instance:

  • Create the Wallaroo AWS SAML Identity Provider
  • Create the AWS Credentials
  • Add the AWS Credentials to Wallaroo
  • Verify the Login

Prerequisites

Create the Wallaroo AWS SAML Identity Provider

Using AWS as a single sign-on identity provider within Wallaroo requires access to the Wallaroo instance’s Keycloak service. This process will require both the IAM Identity Center and Wallaroo Keycloak service be available at the same time to copy information between the two. When starting this process, do not close the Wallaroo Keycloak browser window or the AWS IAM Identity Center without completing all of the steps until Verify the Login.

    1. From the Wallaroo instance, login to the Keycloak service. This will commonly be $PREFIX.keycloak.$SUFFIX. For example, playful-wombat-5555.keycloak.wallaroo.example.

  2. Select Administration Console.

  3. From the left navigation panel, select Identity Providers.

  4. Select Add provider and select SAML v2.0.

    Select SAML 2.0

  5. Enter the following:

    1. Alias ID: This will be the internal ID of the identity provider. It also sets the Redirect URI used in later steps.
    2. Display Name: The name displayed for users to use in authenticating.

  6. Save the following information:

    1. Redirect URI: This is determined by the Wallaroo DNS Prefix, Wallaroo DNS Suffix, and the Alias ID in the format $PREFIX.keycloak.$SUFFIX/auth/realms/master/broker/$ALIASID/endpoint. For example, playful-wombat-5555.keycloak.wallaroo.example/auth/realms/master/broker/aws/endpoint.
    2. Service Provider Entry ID: This is in the format $PREFIX.keycloak.$SUFFIX/auth/realms/master. For example: playful-wombat-5555.keycloak.wallaroo.example/auth/realms/master.

Create the AWS Credentials

The next step is creating the AWS credentials, and requires access to the organization’s Amazon IAM Identity Center.

  1. From the AWS console, select the IAM Identity Center.

    Select AWS IAM Identity Center

  2. From the IAM Identity Center Dashboard, select Applications then Add application.

    Select Add Application

  3. Select Custom application->Add custom SAML 2.0 application, then select Next.

    Select Custom Applications

  4. Enter the following:

    1. Display name: AWS or something similar depending on your organization’s requirements.
    2. Application metadata:
      1. Application ACS URL: Enter the Redirect URI from [Create the Wallaroo AWS SAML Identity Provider].(#create-the-wallaroo-aws-saml-identity-provider).
      2. Application SAML audience: Enter the Service Provider Entry ID from [Create the Wallaroo AWS SAML Identity Provider].

  5. Select the IAM Identity Center SAML metadata file and copy the URL. Store this for the step [Add AWS Credentials to Wallaroo](#add-aws-credentials-to-wallaroo(#add-aws-credentials-to-wallaroo).

  6. Select Submit.

  7. From the new application, select Actions->Edit attribute mappings.

    Select Edit attribute mappings

  8. Enter the following:

    Map Attributes
    1. Subject (default entry): Set to ${user:email}, with the Format emailAddress.
    2. Select Add new attribute mapping and set it to email, mapped to ${user:email}, with the Format emailAddress.

  9. Select Save Changes to complete mapping the attributes.

  10. From the IAM Identity Center Dashboard, select Users. From here, add or select the users or groups that will have access to the Wallaroo instance then select Assign Users.

    Add or Select IAM Users

Add AWS Credentials to Wallaroo

Return to the Wallaroo Keycloak service and the new Identity Provider from Create the Wallaroo AWS SAML Identity Provider.

  1. In Import External IDP Config->Import from URL, enter the IAM Identity Center SAML metadata file saved from Create the AWS Credentials in the field Service Provider Entity ID.

  2. Select Import.

    Import AWS Settings

  3. Once the AWS SAMl settings are imported, select Save to store the identity provider.

Verify the Login

Once complete, log out of the Wallaroo instance and go back into the login screen. With the usual username and password screen should also be a AWS link at the bottom or whatever name was set for the identity provider. Select that link to login.

Login via AWS

Login to the IAM Application created in Create the AWS Credentials. The first time a user logs in they will be required to add their first and last name. After this, logins will happen as long as the user is logged into the AWS IAM application without submitting any further information.

4.2 - Wallaroo SSO for Microsoft Azure

Enable SSO authentication to Wallaroo from Microsoft Azure

Organizations can use Microsoft Azure as an identity provider for single sign-on (SSO) logins for users with Wallaroo Enterprise.

To enable Microsoft Azure as an authentication provider to a Wallaroo Enterprise instance:

Create the Azure Credentials

The first step is to create the Azure credentials in Microsoft Azure.

By the end, the following information must be saved for use in the step Add Azure Credentials to Wallaroo:

Create the New App

  1. Login into the Microsoft Azure account with an account with permissions to create application registrations.

  2. Select App registrations from the Azure Services menu, or search for App Registrations from the search bar.

    Select App registrations

  3. From the App registrations screen, select either an existing application, or select + New registration. This example will show creating a new registration.

    Create new registration

  4. From the Register an application screen, set the following:

    1. Name: The name of the application.

    2. Supported account types: To restrict only to accounts in the organization directory, select Accounts in this organizational directory only.

    3. Redirect URI: Set the type to Web and the URI. The URI will be based on the Wallaroo instance and the name of the Keycloak Identity Provider set in the step Add Azure Credentials to Wallaroo. This will be a link back to the Keycloak endpoint URL in your Wallaroo instance in the format https://$PREFIX.keycloak.$SUFFIX/auth/realms/master/broker/$IDENTITYNAME/endpoint.

      For example, if the Wallaroo prefix is silky-lions-3657, the name of the Wallaroo Keycloak Identity Provider is azure, and the suffix is wallaroo.ai, then the Keycloak endpoint URL would be silky-lions-3657.keycloak.wallaroo.ai/auth/realms/master/broker/azure/endpoint. For more information see the DNS Integration Guide.

      Once complete, select Register.

      New registration settings

Store the Application ID

  1. From the Overview screen, store the following in a secure location:

    1. Application (client) ID: This will be used in the Add Azure Credentials to Wallaroo step.

      Application (client) id

  2. From the Overview screen, select Redirect URIs. Set the following:

    1. Verify the Redirect URI matches the Wallaroo instance endpoint.
    2. Under Implicit grant and hybrid flows, set the following:
      1. Access tokens: Enabled
      2. ID tokens: Enabled

  3. From the Overview screen, from the left sidebar select API permissions. Select +Add a permission.

    Add permission

    1. Select Microsoft Graph, then Delegated Permissions.

      Add email, openid, profile

    2. Set email, openid, profile to Enabled then select Add permissions.

Create Client Secret

  1. From the Overview screen, select Add a certificate or secret.

    Select add a certificate

  2. Select Client secrets, then +New client secret.

    Select add new client secret

    1. Set the following, then select Add.

      Set client secret details.
      1. Description: Set the description of the client secret.
      2. Expires: Set the expiration for the client secret. Defaults to 6 months from creation.

    2. Store the following in a secure location:

      1. Client secret Value: This will be used in the Add Azure Credentials to Wallaroo step.

Store Metadata Document

  1. From the left navigation panel, select Overview, then Endpoints.

    Select Endpoints.
    1. Store the following in a secure location:

      1. OpenID Connect metadata document: This will be used in the Add Azure Credentials to Wallaroo step.

        Save OpenID Connect metadata document

Add Azure Credentials to Wallaroo

With the Azure credentials saved from the Create the Azure Credentials step, they can now be added into the Wallaroo Keycloak service.

  1. Login to the Wallaroo Keycloak service with a Wallaroo admin account from the URL in the format https://$PREFIX.keycloak.$SUFFIX.

    For example, if the Wallaroo prefix is silky-lions-3657, the name of the Wallaroo Keycloak Identity Provider is azure, and the suffix is wallaroo.ai, then the Keycloak endpoint URL would be silky-lions-3657.keycloak.wallaroo.ai. For more information see the DNS Integration Guide.

  2. Select Administration Console, then from the left navigation panel select Identity Providers.

    Select Keycloak Identity Providers

  3. From the right Add provider… drop down menu select OpenID Connect v1.0.

    Select OpenID Connect

  4. From the Add identity provider screen, add the following:

    Identity Provider Values
    1. alias: The name of the the Identity Provider. IMPORTANT NOTE: This will determine the Redirect URI value that is used in the Create the Azure Credentials step. Verify that the Redirect URI in both steps are the same.
    2. Display Name: The name that will be shown on the Wallaroo instance login screen.
    3. Client Authentication: Set to Client secret sent as post.
    4. Client Authentication: Set with the Application (client) ID created in the Create the Azure Credentials step.
    5. Client Secret: Set with the Client secret Value created in the Create the Azure Credentials step.
    6. Default Scopes: Set to openid email profile - one space between each word.
    7. Scroll to the bottom of the page and in Import from URL, add the OpenID Connect metadata document created in the Create the Azure Credentials step. Select Import to set the Identity Provider settings.
    Import Metadata Document

  5. Once complete, select Save to store the identity provider settings.

Once the Azure Identity Provider settings are complete, log out of the Keycloak service.

Verify the Login

After completing Add Azure Credentials to Wallaroo, the login can be verified through the following steps. This process will need to be completed the first time a user logs into the Wallaroo instance after the Azure Identity Provider settings are added.

  1. Go to the Wallaroo instance login page. The Azure Identity Provider will be displayed under the username and password request based on the Displey Name set in the Add Azure Credentials to Wallaroo step.

  2. Select the Azure Identity Provider to login.

    Azure Login

  3. For the first login, grant permission to the application. You may be required to select which Microsoft Azure account is being used to authenticate.

    Azure Grant Permissions

Once complete, the new user will be added to the Wallaroo instance.

4.3 - Wallaroo SSO for Google Cloud Platform

Enable SSO authentication to Wallaroo from Google Cloud Platform (GCP)

Organizations can use Google Cloud Platform (GCP) as an identity provider for single sign-on (SSO) logins for users with Wallaroo Enterprise.

To enable Google Cloud Platform (GCP) as an authentication provider to a Wallaroo instance:

Create GCP Credentials

To create the GCP credentials a Wallaroo instance uses to authenticate users:

  1. Log into Google Cloud Platform (GCP) console.

  2. From the left side menu, select APIs and Services -> Credentials.

    GCP API and Services

  3. Select + CREATE CREDENTIALS->Oauth client ID.

    GCP Create credentials

  4. Set Application type to Web application.

  5. Set the following options:

    1. Name: The name for this OAuth Client ID.

    2. Authorized redirect URIs: This will be a link back to the Keycloak endpoint URL in your Wallaroo instance in the format https://$PREFIX.keycloak.$SUFFIX/auth/realms/master/broker/google/endpoint.

      For example, if the Wallaroo prefix is silky-lions-3657 and the suffix is wallaroo.ai, then the Keycloak endpoint URL would be silky-lions-3657.keycloak.wallaroo.ai/auth/realms/master/broker/google/endpoint. For more information see the DNS Integration Guide.

  6. When the Oauth client is created, the Client ID and the Client Secret will be displayed. Store these for the next steps.

    Client ID and Secret

Add GCP Credentials to Wallaroo

With the Client ID and Client Secret from Google, we can now add this to the Wallaroo instance Keycloak service.

  1. From the Wallaroo instance, login to the Keycloak service. This will commonly be $PREFIX.keycloak.$SUFFIX. For example, playful-wombat-5555.keycloak.wallaroo.ai.

  2. Select Administration Console.

  3. From the left navigation panel, select Identity Providers.

  4. Select Add provider and select Google.

  5. Enter the following:

    Keycloak Google Settings
    1. Redirect URI: Verify this is the same endpoint defined in Create GCP Credentials.
    2. Client ID: Use the Client id from Get GCP Credentials.
    3. Client Secret: Use the Client secret from Get GCP Credentials.
    4. Hosted Domain: The domain that the user’s will be logging in from. For example: wallaroo.ai.
    5. Enabled: On
    6. For the other settings, see the Keycloak Social Identity Providers documentation.

Verify the Login

Once complete, log out of the Wallaroo instance and go back into the login screen. With the usual username and password screen should also be a google link at the bottom or whatever name was set for the identity provider.

Select Google to login

Select it, then select which Google user account to use. As long the domain matches the one listed in Add Google Credentials to Keycloak, the login will succeed. The first time a user logs in through Google, Keycloak will create a new local user account based on the Google credentials.

Troubleshooting

I get the error “This app’s request is invalid”

Double check the Google credentials from Get GCP Credentials and verify that the Authorized redirect URIs matches the one in Keycloak. This can be verified from logging into Keycloak, selecting Identity Providers, selecting the Google identity provider and Redirect URI from the top line.

Keycloak Google Settings

4.4 - Wallaroo SSO Configuration for Seamless Redirect

Instructions on updating the Wallaroo SSO configuration for a seamless redirect experience.

By default, when organizations add identity providers to Wallaroo users have to select which identity provider or at least provide their username and passwords to login through the default Keycloak service.

The following instructions show how to set an identity provider as the default and configure Wallaroo so users who are already authenticated through a identity provider can seamlessly login to their Wallaroo instance without having to select any other options.

This process has two major steps:

Prerequisites

These instructions assume that an identity provider has been created for the Wallaroo instance.

Set an Identity Provider as Default

To set a default identity provider for a Wallaroo instance for seamless access:

  1. Access the Wallaroo Keycloak service through a browser as an administrator. The Keycloak service URL will be in the format $WALLAROOPREFIX.keycloak.$WALLAROOSUFFIX. For example, if the Wallaroo prefix is wallaroo and the suffix example.com, then the Keycloak service URL would be wallaroo.keycloak.example.com. See the DNS Integration Guide for more details on Wallaroo services with DNS.

  2. Select Administration Console, then log in with an administrator account. See the Wallaroo User Management guides for more information.

  3. From the left navigation panel, select Authentication.

  4. For the Auth Type Identity Provider Redirector row, select Actions -> Config.

    Select identity provider redirector

  5. Enter the following:

    1. Alias: The name for this configuration.
    2. Default Identity Provider: The identity provider to use by default. A list is available from Configure->Identity Providers. For this example, it is google. Verify that the name matches the name of the existing Identity Provider.

  6. Select Save.

  7. Save the ID! Save the Identity Provider Redirectory generated by Keycloak. This step is important in disabling the seamless redirect.

    Identity Provider ID

Set Update Profile on First Login to Off

This optional step prevents the Keycloak service from forcing the user to update an existing profile the first time they log in through a new identity provider. For more information, see the Keycloak Identity Broker First Login documentation.

To set the Identity Broker First Login to Off:

  1. Access the Wallaroo Keycloak service through a browser as an administrator. The Keycloak service URL will be in the format $WALLAROOPREFIX.keycloak.$WALLAROOSUFFIX. For example, if the Wallaroo prefix is wallaroo and the suffix example.com, then the Keycloak service URL would be wallaroo.keycloak.example.com. See the DNS Integration Guide for more details on Wallaroo services with DNS.

  2. Select Administration Console, then log in with an administrator account. See the Wallaroo User Management guides for more information.

  3. From the left navigation panel, select Authentication.

  4. From the top drop-down list, select First Broker Login, then for the row labeled Review Profile(review profile config), select Actions->Config.

    Select First Broker Login Config

  5. Set Update Profile on First Login to Off.

    First Broker Login Config

  6. Select Save.

Disable Automatic Redirects

Disable Through Keycloak UI

To disable automatic redirects through the Keycloak UI:

    1. Access the Wallaroo Keycloak service through a browser as an administrator. The Keycloak service URL will be in the format $WALLAROOPREFIX.keycloak.$WALLAROOSUFFIX. For example, if the Wallaroo prefix is wallaroo and the suffix example.com, then the Keycloak service URL would be wallaroo.keycloak.example.com. See the DNS Integration Guide for more details on Wallaroo services with DNS.

  2. Select Administration Console, then log in with an administrator account. See the Wallaroo User Management guides for more information.

  3. From the left navigation panel, select Authentication.

  4. For the Auth Type Identity Provider Redirector row, set the Requirement to Disabled.

    Disable Identity Provider Redirector

Seamless redirect is now disabled. Users will be able to either enter their username/password, or select the identity provider to use.

Disable through Kubernetes

This process allows users to disable the seamless redirect through through the Kubernetes administrative node. This process requires the following:

  • The Identity Provider Redirector was saved from the step Set an Identity Provider as Default.
  • kubectl is installed on the node administrating the Kubernetes environment hosting the Wallaroo instance.
  • curl is installed.

These steps assume the Wallaroo instance was installed into the namespace wallaroo.

The following code will retrieve the Wallaroo Keycloak admin password,then makes a connection to the Wallaroo Keycloak service through curl, then delete the identity provider set as the Identity Provider Redirector.

The Keycloak service URL will be in the format $WALLAROOPREFIX.keycloak.$WALLAROOSUFFIX. For example, if the Wallaroo prefix is wallaroo and the suffix example.com, then the Keycloak service URL would be wallaroo.keycloak.example.com. See the DNS Integration Guide for more details on Wallaroo services with DNS.

The variable IDENTITYUUID is the Identity Provider Redirector UUID.

Replace WALLAROOPREFIX, WALLAROOSUFFIX and IDENTITYUUID with the appropriate values for your Wallaroo instance.

WALLAROOPREFIX="wallaroo"
WALLAROOSUFFIX="example.com"
IDENTITYUUID="1234"
KEYCLOAK_PASSWORD=$(kubectl -n wallaroo get secret keycloak-admin-secret -o go-template='{{.data.KEYCLOAK_ADMIN_PASSWORD | base64decode }}')
TOKEN=$(curl -s "https://$WALLAROOPREFIX.keycloak.$WALLAROOSUFFIX/auth/realms/master/protocol/openid-connect/token" -d "username=admin" -d "password=$KEYCLOAK_PASSWORD" -d 'grant_type=password' -d 'client_id=admin-cli' | jq -r .access_token)
curl -H "Authorization: Bearer $TOKEN" "https://$WALLAROOPREFIX.keycloak.$WALLAROOSUFFIX/auth/admin/realms/master/authentication/config/$IDENTITYUUID" -X DELETE

Seamless redirect is now disabled. Users will be able to either enter their username/password, or select the identity provider to use.