When enabling the identity service for your application, KOTS will deploy Dex as an intermediary that can be configured to control access to the application.
Dex implements an array of protocols for querying other user-management systems, known as connectors.
This feature is only available for licenses that have the Identity Service feature enabled.
The Identity Service currently has the following limitations:
- Only available with embedded cluster installations.
- Only available via the KOTS Admin UI.
The KOTS Identity custom resource enables and configures the Identity Service for your application.
If you prefer, here is an example application that demonstrates how to configure the Identity Service.
To begin, create a new release on the Vendor portal.
Once you are editing the release, create a new KOTS Identity CRD file customized for your application.
The Identity Service has to be accessible from the browser, for that reason, KOTS provides the service name and port to the app through the identity template functions so that the app can then configure ingress for the identity service, for example:
All the necessary information that your application needs to communicate and integrate with the identity service can be passed through environment variables, for example:
Role Based Access Control
It is also possible to regulate access to your application resources based on the roles of individual users within the customer’s organization.
A list of the available roles within your application can be provided to the customer via the roles section of the Identity CRD.
Then, using the KOTS Admin Console, the customer will have the ability to create groups and assign specific roles to each group.
This mapping of roles to groups will then be available to your application via the IdentityServiceRoles template function.