country_code

Prerequisites#

../_images/ov_cloud_banner.jpg

Prerequisites#

  • An Identity Provider (IdP) with the necessary access rights can configure application integrations using OpenID Connect (OIDC), manage group assignments, and, if needed, modify user group memberships.

    • The well-known OpenID Connect (OIDC) discovery URL provides a standardized mechanism for relying parties to retrieve an identity provider’s configuration details. It’s typically found here:

      https://<your_issuer_url>/.well-known/openid-configuration

  • A Linux virtual machine running Ubuntu 22.04 with administrative access and unrestricted Internet connectivity. While other Ubuntu versions might also be compatible, some instructions may require modification.

  • Possession of a fully qualified domain name (FQDN) along with its associated TLS certificate and private key, or alternatively, a wildcard certificate covering the parent FQDN.

  • Access to the Omniverse on DGX Cloud Portal Sample.

  • Endpoint URL for the portal. We are using https://myovc.com as an example for this guide.

Common Challenges#

  • The portal requires HTTPS to function properly. For testing purposes, using a self-signed certificate is acceptable.

  • You must use the fully qualified domain name (FQDN); relying solely on the IPv4 address will disrupt proper WebRTC streaming functionality.

  • The frontend and backend must either be reverse proxied or integrated using Ingress or an Application Load Balancer (ALB), and they must reside under the same domain. From the browser’s perspective, using the same FQDN with different ports is treated as separate origins.

  • The Front End requires a connection to be successfully established with an Identity Provider (IdP).

NVCF Information#

  • An nvcf_api_key, which is provided as part of your Omniverse on DGX Cloud subscription.

Certificates#

  • A certificate is required to proceed with the steps in this document. You must provide the following two files:

    • key.pem - A Private key file of the certificate in PEM format

    • cert.pem - A Certificate chain in PEM format

Note

The certificate’s Common Name (CN) must exactly match the Fully Qualified Domain Name (FQDN) assigned to the reverse proxy entry. We are generating self-signed certs for myovc.com as an example.

IDP Information#

The following information must be obtained from the Identity Provider (IdP) security administrator. Most OpenID Connect (OIDC) endpoints can be retrieved by accessing the standard discovery URL: <URL>/.well-known/openid-configuration. For this example we are using https://auth.keycloak.com as the IdP.

FIELD

EXAMPLE ENTRY

EXPLANATION

authority

https://auth.keycloak.com/realms/ovc-auth/protocol/openid-connect/auth

This is NOT the OIDC authorization endpoint. This is a URL that if suffixed by “/.well-known/openid-configuration” and will return a “well known OIDC configuration”. That is conformant to https://openid.net/specs/openid-connect-discovery-1_0.html.

clientID

portal-sample-auth

A public identifier for applications that will use the OIDC protocol for authentication and authorization of the OVC application.

redirectUri

https://myovc.com/openid

This is the URL that redirects openID requests to the OIDC server. It will have the domain name of the portal. In this example, we are using MyOVC for this guide.

scope

openid profile email groups

This is a free form field to take text.

backend

https://myovc.com/api

This is the URL that will redirect the inbound API calls to the NVCF backend.

nucleus

nucleus-server.com

This will point to the Nucleus server. (Do not specify the https:// prefix.)

nvcf_api_key

nvapi-XXXX

The API token is obtained from NVCF. It is not required to use the same API key that was used previously in the OVC 2.0 - Container to Function document.

jwks_uri

https://auth.keycloak.com/realms/ovc-auth/protocol/openid-connect/certs

The endpoint used to obtain public keys (JWK) for validating user tokens. Must point to jwks_uri field from the Configuration Request. https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig

jwks_alg

RS256

The algorithm used by the IdP to generate ID tokens.

jwks_ttl

1000

The number of seconds to cache public keys (JWK) retrieved from jwks_uri.

userinfo_endpoint

https://auth.keycloak.com/realms/ovc-auth/protocol/openid-connect/userinfo

The endpoint used to obtain additional user info from the IdP. Must point to userinfo_endpoint field from the Configuration Request. https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig

userinfo_ttl

1000

The number of seconds to cache user info retrieved from userinfo_endpoint.

admin_group

admin

The user group required for updating or deleting data via the API.

Note

There are multiple API key types within NGC. We strongly recommend using the NGC Personal API Key for complete NVCF API compatibility. NVCF is not compatible with legacy or global API keys and may not function correctly if they are used. Learn more about NGC API Keys.