Introduction
This page details various tasks that must be performed by a customer who will be participating in a BrowZer pilot, as well as certain data values the customer must provide to NetFoundry personnel who will be orchestrating the deployment and provisioning of browZer-enabled networks on behalf of the customer.
There are two main items that a customer must bring to the pilot:
- A CloudZiti network
- An Auth0 IdP account
Details surrounding these items are described below.
Step 1: Create a ClouidZiti Teams network
NetFoundry recommends that BrowZer pilots be carried out using the customer's CloudZiti Teams network.
If the customer already has an existing CloudZiti Teams network, that's great! We will use the existing CloudZiti Teams network.
NOTE:
BrowZer pilots require your network to be running at Ziti level v0.26.9 or newer.
If your Teams network is not at that level, we will need to upgrade it for you.
If the customer does not yet have a CloudZiti Teams network, the customer can click the image below, and be brought to the CloudZiti Teams "Get Started" page, to create their free network:
Step 2: Tell Us the Name of Your ClouidZiti Teams Network
Once the customer has created their CloudZiti Teams network, they should tell NetFoundry what the name of the network is. They should communicate this information to their private Team over on the mattermost.openziti.io site in a msg to @curt.
Step 3: Create an Auth0 (IdP) account
The BrowZer architecture requires the use of an Identity Provider (IdP) capable of facilitating SSO.
NetFoundry currently recommends that BrowZer pilots be carried out using the customer's Auth0 account as the IdP.
If the customer already has an existing Auth0 account, that's great! We will use the existing Auth0 account.
However, if the customer does not yet have an Auth0 account, the customer can click the image below, and be brought to the Auth0 "Get Started" page, to create their free IdP account:
Step 4: Create an Auth0 'Application'
The customer should log in to their Auth0 account, and go to the "Applications" page:
Then click "Create Application":
Then create a new "Regular Web Application":
The name of the Application can be whatever the customer wants, but it will represent the BrowZer Gateway we will deploy for the customer, so its name should reflect that.
Step 5: Create an Auth0 'API'
Name like browzer.<YOUR-TEAMS-NETWORK-NAME>.nfconsole.io and an Identifier like https://browzer.<YOUR-TEAMS-NETWORK-NAME>.nfconsole.ioStep 6: Configure the Auth0 'Application' SSO callback
Allowed Callback URLs to: https://browzer.<YOUR-TEAMS-NETWORK-NAME>.nfconsole.io/callback, where <YOUR-TEAMS-NETWORK-NAME> is the name of the CloudZiti Teams network from Step 1.Step 7: Gather/Provide Auth0 'Application' variables
Domain and ClientID
In the Auth0 Application/Settings for the Application from Step 6, the customer should copy the Domain value, and the Client ID value:
...then communicate (paste) this information into the customer's private Team over on the mattermost.openziti.io site, in a msg to @curt.
KID
We will also need the kid for the customer's Auth0 tenant.
the kid can be found like this:
...then communicate (paste) this information into the customer's private Team over on the mattermost.openziti.io site, in a msg to @curt.
Certificate
We will also need the certificate for the customer's Auth0 tenant.
the certificate can be found like this:
...then scroll down and click/open Advanced Settings:
...then select Certificates, then copy the signing cert:
BrowZer Gateway URL
Once the above pieces of information are provided by the customer, NetFoundry will then complete the deployment/provisioning of a BrowZer Gateway instance to support the customer's pilot.
The BrowZer Gateway will reside at a DNS name of:
browzer.<YOUR-TEAMS-NETWORK-NAME>.nfconsole.io
NOTE:
This will be the URL users of your protected web app will point their browsers at,
so you will need to socialize this URL with them.
Once the BrowZer Gateway is running, when anyone visits the URL:
https://browzer.<YOUR-TEAMS-NETWORK-NAME>.nfconsole.io
...in a browser, the SSO login dialog should render like the example below:
Step 8: Create/Provide Ziti Service for Protected Web App
The customer should deploy the web app to be used in the BrowZer pilot into their private VPC, and ensure it has a Ziti Service associated with it.
The following information should be communicated (pasted) into the customer's private Team over on the mattermost.openziti.io site, in a msg to @curt
- Service name
- The port number (in the VPC) that the web app listens on (where Ziti will terminate to)
- Confirmation that the web app listens on HTTP, not HTTPS. (browZer support to facilitate TLS-over-mTLS is nearing completion, but is not ready yet, pilots must currently have the web app listen internally on HTTP)
Once this Service name information is provided, NetFoundry will then add it to the configuration of the BrowZer Gateway instance.
Step 9: Complete the Provisioning of the Ziti Network
The customer should gather the GMail addresses of the users that require access to the protected web app over browZer.
These email addresses should be communicated (pasted) into the customer's private Team over on the mattermost.openziti.io site, in a msg to @curt
Once this information is provided, NetFoundry will then add it to the Ziti network configuration.
Enjoy Using BrowZer
Once all of the above steps have been completed, NetFoundry will notify the customer via a msg over on the mattermost.openziti.io site, and the customer can instruct their users to begin.
NOTE:
Users must use a Chromium-based browser (i.e. Chrome, Brave, or Edge).
Ensure users understand that they will be required to do an SSO authentication using their GMail credentials in order to gain access to the Ziti network:
Once a successful SSO authentication is completed, the customer's protected web app should then load into the user's browser.
If the web app has its own authentication, users should proceed with the credentials they have that are specific to that web app.
Comments
0 comments