Wavefront has recently released Multitenant Single Sign-On (MT SSO), a service that makes it easier for administrators to authenticate and manage access to different tenants deployed in a cluster. With Wavefront MT SSO, a user who belongs to different teams, i.e., tenants, can switch between the tenants without having to log in every time.
In this blog post, I will help you get started with Wavefront MT SSO by addressing five topics:
- Setting the context
- Overview and what’s new
- Benefits of Wavefront MT SSO
- How Wavefront MT SSO works
- Ways to get started
Setting the Context
Before we get to the main topic, here is some context on the different terms referred to in this blog:
- Cluster is a group of servers that Wavefront uses to provide monitoring services to companies
- Customer is a company using Wavefront for monitoring the services provided by the company
- Service Provider (SP) in this case is Wavefront, i.e., Wavefront is an SP for various customers
- Shared Cluster is a cluster that is shared between multiple customers
- Dedicated Cluster is a cluster occupied by a single customer
- Tenant refers to the customer department or team
- User is a customer’s employee who uses Wavefront for monitoring and alerting
- Identity Provider (IDP) is a service that validates (authenticates), users
Here is an analogy to help understand multi-tenancy: think about an office building, which can have multiple office spaces. If we consider each office space as a server, then the building is like a cluster. A big company, (a single customer) can rent the entire building, which is like a dedicated cluster. However, multiple small companies (many customers) may choose to share the building, which makes the building a shared cluster.
Each company can have various departments (teams). Every department can have multiple employees. Each employee is authenticated by the receptionist of the company in which the employee works. In our model, the employees are users, the teams are tenants, and the receptionist is the Identity Provider (IDP).
What’s New?
Previously, Wavefront offered the configurations shown in Figure 1:
- Single-Tenant Single-Customer: A customer can occupy an entire cluster but can only have one tenant
- Single-Tenant Multi-Customer: Multiple customers can share a cluster, but each customer can only have one tenant
Figure 1: Previously offered cluster setups in Wavefront
With Wavefront MT SSO, a user belonging to multiple tenants, within a single customer, can access the different tenants in the following two scenarios:
- Multi-Tenant Single-Customer: A single customer can have more than one tenant in a cluster
- Multi-Tenant Multi-Customer: Multiple customers can share a cluster, with each customer having multiple tenants (see Figure 2)
Figure 2: New forms of cluster setup in Wavefront
What Are the Key Benefits Using Wavefront MT SSO?
Authentication and authorization are essential to modern software architectures where a user has to log in to get service. The software must accurately authenticate and authorize each user. Wavefront MT SSO ensures that tenant access is limited to authenticated users and thereby prevents data leakages.
The second significant benefit is increased productivity. DevOps teams including developers and SREs can quickly switch between different tenants without having to provide login credentials each time they switch between tenants.
How Does Wavefront MT SSO Work?
In Wavefront MT SSO, users are authenticated through a supported IDPs (VMware Identity Provider (vIDM), Google IDP, Okta, etc.) when they submit their credentials. They can access the tenants into which they are invited. Any other tenants in the same cluster are not accessible.
For example, let’s say that a cluster “Research” has two customers, VMware and Customer 1. VMware has tenants A, B, and C, while Customer 1 has tenants X and Y.
- User [email protected] is invited only into tenant A and B, and she/he can access only tenants A and B but not C as shown in Figure 3. She/he can switch between the tenants without the need for logging in to each tenant. Before switching a warning will be displayed asking the user for confirmation so that there is no accidental data loss.
- The user can access only VMware tenants and not Customer 1 tenants.
Figure 3: User [email protected] can only access tenants A and B, but not tenant C
If the default tenant login flag for the IDP is not enabled, and if a new user tries to access a tenant in a cluster without invitation then a 401 page will be shown. However, if the default tenant login flag is enabled for the IDP, then Wavefront will auto-create an account for a new user, and she/he will be logged in to the default tenant.
Want to Try MT SSO?
Currently, Wavefront MT SSO is supported with Google IDP, OKTA, and vIDM. If you are a Wavefront customer using one of the above IDPs, then you can adopt a multi-tenant model to have one tenant for each time. For more information on setting up Wavefront MT SSO, see to the technical documentation or contact Wavefront team.
Interested in learning more about Wavefront? Check out the Wavefront free trial.
Get Started with Wavefront Follow @Gaanesh_K Follow @WavefrontHQ
Co-authors:
Monir Mozumder
Monir Mozumder is a Senior Member of Techincal Staff at VMware, working as a Back End engineer in the Wavefront team under Cloud Management Business Unit (CMBU). Prior to VMware, he worked on various mid-senior engineering roles at Intel, Motorola, Yahoo, Nokia, and AMD. His interests include Big Data, Security, Cloud Management, Machine Learning, and Micro Services platforms.
The post Intelligent Authentication with Wavefront Multi-Tenant Single Sign-On appeared first on Wavefront by VMware.