Rancher Keycloak authentication setup - keycloak

I'm trying to setup Rancher to use Keycloak as an authentication provider and following the setups laid out here. The last step says to export the metadata in the SAML Metadata IDPSSODescriptor format but I only see SAML Metadata SPSSODescriptor as an option. I've tried using that but authentication isn't working - it opens another window with the same Keycloak setup page when clicking the Authenticate with Keycloak button to validate the setup. There are no errors in the Docker logs for either the Rancher or Keycloak containers when running docker logs CONTAINER command.
I'm wondering if I need to do something specific to setup Keycloak as an IDP to get the correct metadata option but I can't find anything in their documentation.

For Keycloak 6.0 and up, along with the location of the IDPSSODescriptor even its format has changed. This doc explains how that can be edited to be used by Rancher

From the Installation tab, choose the SAML Metadata IDPSSODescriptor format option and download your file.
Or you can directly visit Keycloak URL with IDPSSODescriptor metadata:
https://<keycloak-domain>/auth/realms/<realm>/protocol/saml/descriptor

Related

Change authentication url in Quarkus' Swagger-UI

Problem is, I'm starting the Quarkus service and a Keycloak in a docker-compose setup, where I need to configure the internal hostname and it won't be the same I will use to authenticate from outside.
In the following picture I want Swagger-UI to open the external url (http://localhost:8180 in my case) instead of the internal docker-compose url (http://keycloak:8080).
Is there a config property available to change this? I don't not find anything matching and tried out some stuff, but was unsuccessful.
I'm starting the Keycloak server in devmode and mount a custom realm during file.
To the Quarkus service I set the following properties:
environment:
QUARKUS_OIDC_AUTH_SERVER_URL: http://keycloak:8080/realms/WPLAT_dev-keycloak-realm
QUARKUS_OIDC_CLIENT_ID: my-service
QUARKUS_OIDC_CREDENTIALS_SECRET: secret
QUARKUS_OIDC_TOKEN_ISSUER: http://localhost:8180/realms/WPLAT_dev-keycloak-realm
(QUARKUS_OIDC_TOKEN_ISSUER was needed or otherwise the returned tokens weren't accepted)

How Mastodon Configured Login Using SSO

How Mastodon configure login using SSO, such as openid with keycloak? I search in Github and configure Mastodon follow this guide, but it doesn't work.
This is my environment variable:
OIDC_ENABLED=true
OIDC_DISPLAY_NAME=SSO
OIDC_AUTH_ENDPOINT=https://SSO_URL/realms/mastodon/.well-known/openid-configuration
OIDC_ISSUER=https://SSO_URL/realms/mastodon
OIDC_DISCOVERY=true
OIDC_SCOPE="openid,profile"
OIDC_UID_FIELD=uid
OIDC_CLIENT_ID=masto
OIDC_REDIRECT_URI=https://MASTODON_URL/auth/auth/openid_connect/callback
OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED=true
OIDC_CLIENT_SECRET=***
I checked the error log via this command but it is empty.
docker-compose logs | grep ERROR
Even the text of the SSO button has not changed.
There is the screenshot of sso button
my config:
OIDC_ENABLED=true
OIDC_DISPLAY_NAME=My IDM
OIDC_DISCOVERY=true
OIDC_ISSUER=https://<keycloak_url>/auth/realms/<real>
OIDC_AUTH_ENDPOINT=https://<keycloak_url>/auth/realms/<real>/.well-known/openid-configuration
OIDC_SCOPE=openid,profile,email
OIDC_UID_FIELD=preferred_username
OIDC_CLIENT_ID=<client id>
OIDC_CLIENT_SECRET=<client secret>
OIDC_REDIRECT_URI=https://<mastodon URL>/auth/auth/openid_connect/callback
OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED=true
Tested with Mastondo 3.5.3 and Keycloak 7.0.1
Maybe, only change yours OIDC_SCOPE and OIDC_UID_FIELD environments values.
I cannot comment but Erik suggestion was really good, here is our minimal configuration using Keycloak in discovery mode:
# Enable OIDC
OIDC_ENABLED=true
# Name your button (ignored in current 3.5.3 but fix is done in upcoming releases)
OIDC_DISPLAY_NAME=Login with MySSO
# Where to find your Keycloak OIDC server
OIDC_ISSUER=https://<keycloak_domain>/realms/<my_realm>
# Use discovery to determing all OIDC endpoints
OIDC_DISCOVERY=true
# Scope you want to obtain from OIDC server
OIDC_SCOPE=openid,profile,email
# Field to be used for populating user's #alias
OIDC_UID_FIELD=preferred_username
# Client ID of the client you configured for Mastodon in Keycloak
OIDC_CLIENT_ID=<keycloak_client_id>
# Client secret of the client you configured for Mastodon in Keycloak (in production, use secrets Docker secrets in our case)
OIDC_CLIENT_SECRET=<keycloak_client_secret>
# Where OIDC server should come back after authentication
OIDC_REDIRECT_URI=https://<mastodon_domain>/auth/auth/openid_connect/callback
# Assume emails are verified by the OIDC server
OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED=true
So only difference is that we didn't have to add the OIDC_AUTH_ENDPOINT thanks to OIDC discovery.

How to show username on Zeppelin-Keycloak

I deployed Zeppelin (v0.8.2) on my Kubernetes cluster and configured it to connect to Keycloak for user authentication and authorization. However, as you can see in the image (upper-right corner), it shows the User ID generated by Keycloak.
How can I change this to show the username/user name instead?
This is a shiro config problem solved by adding pac4jRealm.principalNameAttribute = name to the shiro.ini.
The solution can be referenced from https://github.com/bujiio/buji-pac4j/issues/61

login.OAuthLogin(missing saved state) - Community version of grafana with OKTA integration

I'm trying to configure Community edition Grafana(official docker image) with Okta integration.
After doing Okta configuration, Okta authenticates and redirect request to grafana, where I hosted it,
But, it shows following error:
login.OAuthLogin(missing saved state)
I'm not using any database for storing sessions. I want to save it on local file only.
Please suggest.
I had the same problem, which had to do with the 'email' attribute not being available to Grafana.
Make sure that 'api_url' contains 'email'.
In Grafana OAuth config, set the following:
email_attribute_path
email_attribute_name
Example:
[auth.generic_oauth]
email_attribute_path=email
email_attribute_name=email
Example Grafana Configuration containing these properties can be found here: https://github.com/grafana/grafana/blob/v6.4.0/conf/sample.ini
Thanks for response, I found detailed help at: https://www.gyanblog.com/gyan/how-configure-grafana-dashboard-oauth-okta-ssl-docker-nginx/

how can I pass dynamic IP address in keycloak realm redirect URL?

I have created keycloak docker image and deployed in kubernates in my on premise server and setup localhost: as redirect URLs and when I am accessing it from other systems, it should be the IP address of that system, instead of localhost. Could you please help me to get dynamic IP setup in my keycloak from Kubernetes script?
I think you can just set the redirectUris in your realm config to *. Otherwise each system to be accessible needs to be added to the realm, which you can do from the admin console or through the API.
In Activiti we distribute a keycloak helm chart with a custom realm for activiti installations. In that we set redirectUris to * and allow that to be overridden at install time. We're doing that in a helm chart but if you weren't using a helm template then you could do a sed to replace a string. But that is for a shareable distribution. If you've just got a single installation then I'd expect you to be adding applications/clients to the realm through the console or API.