Azure App Gateway (Advanced)
Deploy Keeper Automator to Azure Container Instances using the Azure App Gateway Service
Overview
This guide provides step-by-step instructions to publish Keeper Automator in a secure VNet with Azure Application Gateway. This method is more advanced than the Azure Container App configuration. If you don't require the use of Azure App Gateway or encrypted SAML requests, it would be best to use the Azure Container App method.
For this method, make sure you already have your SSL Certificate. If not, please follow the steps in the Custom SSL Certificate page.
Instructions
(1) Open the Azure Cloud Shell
Login to portal.azure.com and click on the Cloud Shell icon.
(2) Create a resource group in your preferred region
If the resource group in Azure does not exist yet, create it. The example here uses the eastus
region, but make sure to use your region.
(3) Create a Storage Account
If the storage account does not exist yet, create it and ensure to use the correct region (useast) and the name of the resource group above. Note: The name you choose (to replace keeperautomatorstorage) needs to be globally unique to azure.
(4) Create a File Share
If the file share does not exist yet, create it.
List the current shares:
(5) Create a Virtual Network (VNet) and one Subnet for the container
(6) Update the Virtual Network with the Service Endpoints
(7) Retrieve Storage Key
To find a storage key for the account, use the command below. Replace the name of the storage account with your specific name.
Copy the key1 value which will look like this:
(8) Retrieve Subnet ID
Run the below command to find the Subnet ID:
Copy the full subnet ID path that ends with _subnet. It will look like this:
(9) Create YAML Container File
In your local filesystem, create a folder such as automator
.
In that folder, create a file called automator.yml with your favorite editor that has the below contents.
Note there are several places where the string value needs to be changed based on your configuration in the prior steps.
subnet ID needs to match the full path of the ID retrieved from step 8
storageAccountName needs to match the value from Step 3
storageAccountKey needs to match the value from Step 7
(10) Upload the SSL Certificate and SSL Password Files
From the Azure interface, navigate to the Resource Group > Storage Account > File Share > into the Automator file share created. From here, upload the automator.yml file, SSL certificate file and SSL certificate password file.
Make sure your files are named automator.yml ssl-certificate.pfx and ssl-certificate-password.txt
(11) Copy the 3 files to your local CLI workspace
(12) Create the Container Instance
Create the container using the configuration in automator.yml
.
Obtain the Internal IP of the container in the response.
For later, set a variable of this IP, for example:
(13) Create Application Gateway Subnet
(14) Create an Application Gateway
Ensure that the SSL certificate password is replaced in the XXXXXX section.
(15) Locate the Public IP
In the Azure portal interface, navigate to the Resource Group > App Gateway and make note of the public IP address.
(16) Route DNS
Ensure that the DNS for your Automator service (e.g. automator.company.com) is pointed to the IP address generated in Step 15 by the Azure Container service.
The DNS name must match the SSL certificate subject name or else requests will fail.
(17) Create a Health Probe
A health probe will inform the App Gateway that the Automator service is running. From the Azure portal interface, open the Automator App Gateway and then click on "Health probes" from the left menu.
Now create a new Health Probe with the settings as seen in the below screenshot. Make sure to replace the Host with the FQDN set up in Step 16.
Click on "Test" and then add the probe. The test will succeed if the container IP is properly addressed to the host name.
(18) Configure the Web Application Firewall
From the Azure portal interface, open the Automator App Gateway and then click on "Web application firewall" on the left side. Enable the WAF V2 and configure the screen exactly as seen below.
Click on the "Rules" tab then select the Rule set to "OWASP 3.2" and then click on "Enabled" and "Save". This is a critical step.
The final step is to configure Automator using Keeper Commander.
(19) Install Keeper Commander
At this point, the service is running but it is not able to communicate with Keeper yet.
On your workstation, server or any computer, install the Keeper Commander CLI. This is just used for initial setup. The installation instructions including binary installers are here:
Installing Keeper Commander
After Commander is opened, login using the login
command. In order to set up Automator, you must login as a Keeper Administrator, or an Admin with the ability to manage the SSO node.
(20) Initialize with Commander
Login to Keeper Commander and activate the Automator using a series of commands, starting with automator create
The Node Name (in this case "Azure Cloud") comes from the Admin Console UI as seen below.
The output of the command will display the Automator settings, including metadata from the identity provider.
Note that the "URL" is not populated yet. Edit the URL with the FQDN you selected.
Next we exchange keys: The enterprise private key encrypted with the Automator public key is provided to Automator:
Initialize the Automator with the new configuration
Enable the service
At this point, the configuration is complete.
For automated health checks, you can use the below URL:
https://<server>/health
Example curl
command:
Note this URL will not open in a web browser.
(21) For environments using AD FS ...
When activating Keeper Automator with AD FS as the identity provider, users will not be able to login until you update the Keeper certificate using the instructions below:
Login to the Keeper Admin Console
Go to Admin > SSO Node > Provisioning and then view the SSO Cloud configuration.
Click on "Export SP Cert".
In the AD FS Management Console select the Keeper Cloud SSO Relying Party Trust properties.
On the "Encryption" tab, replace the old certificate with this new cert.
On the "Signature" tab, Add/Replace the new SP certificate with this new cert.
Setup Complete!
That's it, your Automator service should now be running.
Azure Portal
In the Azure Portal in the "Container Instances" system, you can see the container running. You can also connect to the container (using /bin/sh) and view running logs.
Updating the IP on Container Restart
Based on this configuration, it is possible that restarting the container will assign a new IP address from the /24 subnet. To quickly locate the new IP and update the Application Gateway backend pool with the correct IP, the below script can be run from the Azure CLI.
Testing the Automator Service
Now that Keeper Automator is deployed, you can test the end-user experience. No prompts for approval will be required after the user authenticates with the SSO identity provider.
The easiest way to test is to open an incognito mode window or guest mode window and go to to the Keeper Web Vault and login with SSO Cloud. If you are not be prompted for device approval, the automator is functioning properly.
Last updated