I am trying to setup Keycloak as a IdP (Identity Provider) and Nextcloud as a service. I want to setup Keycloak as to present a SSO (single-sign-on) page.
I am running a Linux-Server with a Intel compatible CPU. What is the correct configuration?
Keycloak will be running as https://kc.example.com
Nextcloud will be running as https://nc.example.com
Prerequisite:
To use this answer you will need to replace example.com with an actual domain you own. Also, replace email#example.com with your working e-mail address.
It is assumed you have docker and docker-compose installed and running.
Setup your services with Docker
In addition to keycloak and nextcloud I use:
nginx as a reverse-proxy
letsencyrpt to generate the SSL-certificates for the sub-domains.
I'm setting up all the needed services with docker and docker-compose. This is how the docker-compose.yml looks like this:
version: '2'
nginx-proxy:
image: jwilder/nginx-proxy
restart: unless-stopped
ports:
- "80:80"
- "443:443"
volumes:
- "/etc/nginx/vhost.d"
- "./proxy-default.conf:/etc/nginx/conf.d/my-proxy.default.conf:ro"
- "/usr/share/nginx/html"
- "/var/run/docker.sock:/tmp/docker.sock:ro"
- "./le-cert:/etc/nginx/certs:ro"
labels:
com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy: "true"
letsencrypt-nginx-proxy-companion:
image: jrcs/letsencrypt-nginx-proxy-companion
restart: unless-stopped
depends_on:
- nginx-proxy
container_name: le-proxy-companion
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- "./le-cert:/etc/nginx/certs:rw"
volumes_from:
- nginx-proxy
keycloak:
image: jboss/keycloak
links:
- keycloak-postgres:postgres
ports:
- 8080:8080
volumes:
- ./keycloak:/opt/jboss/keycloak
environment:
- KEYCLOAK_USER=admin
- KEYCLOAK_PASSWORD=admin
- "PROXY_ADDRESS_FORWARDING=true"
- VIRTUAL_PORT=8080
- VIRTUAL_HOST=kc.example.com
- LETSENCRYPT_HOST=kc.example.com
- LETSENCRYPT_EMAIL=email#example.com
keycloak-postgres:
image: postgres
environment:
- POSTGRES_DB=keycloak
- POSTGRES_USER=keycloak
- POSTGRES_PASSWORD=keycloak
nextcloud:
image: hoellen/nextcloud
environment:
- UPLOAD_MAX_SIZE=10G
- APC_SHM_SIZE=128M
- OPCACHE_MEM_SIZE=128
- CRON_PERIOD=15m
- TZ=Europe/Berlin
- DOMAIN=nc.example.com
- ADMIN_USER=admin
- ADMIN_PASSWORD=admin
- DB_TYPE=mysql
- DB_NAME=nextcloud
- DB_USER=nextcloud
- DB_PASSWORD=nextcloud
- DB_HOST=nc-db
volumes:
- ./nc/nc-data:/data
- ./nc/nc-config:/config
- ./nc/nc-apps:/apps2
- ./nc/nc-themes:/nextcloud/themes
environment:
- VIRTUAL_HOST=nc.example.com
- LETSENCRYPT_HOST=nc.example.com
- LETSENCRYPT_EMAIL=email#example.com
nc-db:
image: mariadb
volumes:
- ./nc/nc-db:/var/lib/mysql
environment:
- MYSQL_ROOT_PASSWORD=nextcloud
- MYSQL_PASSWORD=nextcloud
- MYSQL_DATABASE=nextcloud
- MYSQL_USER=nextcloud
I put my docker-files in a folder docker and within this folder a project-specific folder. Here keycloak. Create them with:
mkdir -p ~/docker/keycloak
Create the docker-compose.yml-File with your preferred editor in this folder. Start the services with:
cd ~/docker/keycloak
docker-compose up -d
Wait a moment to let the services download and start. Check if everything is running with:
docker-compose ps
If a service isn't running. Issue a second docker-compose up -d and check again.
Configure Keycloak, add a new Realm
Open a browser and go to https://kc.example.com. Click on Administration Console. As specified in your docker-compose.yml, Username and Password is admin.
On the top-left of the page, you need to create a new Realm. Click Add. Enter my-realm as the name. Click Save.
Click on the Keys-tab. Look at the RSA-entry. We will need to copy the Certificate of that line. Click on Certificate and copy-paste the content to a text editor for later use.
Prepare a Private Key and Certificate for Nextcloud
Open a terminal and issue:
openssl req -nodes -new -x509 -keyout private.key -out public.cert
This creates two files: private.key and public.cert which we will need later for the nextcloud service.
Configure Nextcloud
Open a browser and go to https://nc.example.com. As specified in your docker-compose.yml, Username and Password is admin.
You need to activate the SSO & Saml Authenticate which is disabled by default.
Important From here on don't close your current browser window until the setup is tested and running. If you close the browser before everything works you probably not be able to change your settings in nextcloud anymore. In such a case you will need to stop the nextcloud- and nextcloud-db-container, delete their respective folders, recreate them and start all over again.
Click on the top-right gear-symbol and then on the + Apps-sign. On the left now see a Menu-bar with the entry Security. Click it. You now see all security-related apps. Click on the Activate button below the SSO & SAML authentication App.
Click on the top-right gear-symbol again and click on Admin. Click on SSO & SAML authentication.
Use the following values:
Attribute to map UID to: username
Enable "Use SAML auth for the Nextcloud desktop clients (requires user re-authentication)"
Copy the content of public.cert into the 'X.509 Certificate'-field
Copy the content of private.key into the 'Private key of Service Provider'-field.
Identifier of the IdP: https://kc.example.com/auth/realms/my-realm
URL Target of the IdP where the SP will send the Authentication Request Message: https://kc.example.com/auth/realms/my-realm/protocol/saml
URL Location of IdP where the SP will send the SLO Request: https://kc.example.com/auth/realms/my-realm/protocol/saml
Public X.509 certificate of the IdP: Copy the certificate from Keycloak from the Keys-tab of my-realm. You will need to add '-----BEGIN CERTIFICATE-----' in front of the key and '-----END CERTIFICATE-----' to the end of it.
In-Service Provider Data:
Attribute, displayname: username
Attribute, email address: email
Security Settings, enable the following options:
Indicates whether the <samlp:AuthnRequest> messages sent by this SP will be signed. [Metadata of the SP will offer this info]
Indicates whether the <samlp:logoutRequest> messages sent by this SP will be signed.
Indicates whether the <samlp:logoutResponse> messages sent by this SP will be signed.
Indicates a requirement for the <samlp:Response>, <samlp:LogoutRequest> and <samlp:LogoutResponse> elements received by this SP to be signed.
Indicates a requirement for the <saml:Assertion> elements received by this SP to be signed. [Metadata of the SP will offer this info]
Check there is a Metadata valid beside the Download metadata XML-Button
Click the Download metadata XML-Button. This generates and sends an XML file. Save it for use in the next step.
Configure Keycloak, Client
Access the Administrator Console again. Click on Clients and on the top-right click on the Create-Button.
Next to Import, click the Select File-Button. Select the XML-File you've created on the last step in Nextcloud.
Change:
Client SAML Endpoint: https://kc.example.com/auth/realms/my-realm
and click Save.
You are presented with a new screen. Change the following fields:
Name: Nextcloud
Valid Redirect URIs: https://nc.example.com/ *
Click Save
On the Tab Mappers:
Click Delete-Button on the preassigned role list (if it exists)
Click Create
Name: username
Mapper Type: User Property
Property: username
SAML Attribute Name: username
SAML Attribute NameFormat: Basic
Click Save
Click Create
Name: email
Mapper Type: User Property
Property: email
SAML Attribute Name: email
SAML Attribute NameFormat: Basic
Click Save
Click Create
Name: Roles
Mapper Type: Role List
Role attribute name: Roles
Friendly Name: roles
SAML Attribute NameFormat: Basic
Single Role Attrubute: On
Click Save
Configure Keycloak, Add user
On the left side, click on Users
On the top-right, click Add users
Set the following values:
Username: user
Email: user#example.com
Click Save
On the tab Credentials:
New Password: user
Password Confirmation: user
Temporary: Off
Click Reset Password
A Window pops up:
Click Change Password
Test run
Open a new browser window in incognito/private mode. Eg. for google-chrome press Ctrl-Shift-N, in Firefox press Ctrl-Shift-P. Keep the other browser window with the nextcloud setup page open. Else you might lock yourself out.
Access https://nc.example.com with the incognito/private browser window. You are presented with the keycloak username/password page. Enter user as a name and password. You should be greeted with the nextcloud welcome screen.
Acknowledgement
This guide wouldn't have been possible without the wonderful http://int128.hatenablog.com/entry/2018/01/16/194048 blog entry. I've read it with google-translator in English.
Thanks goes also to RMM. His wiki entry allowed me to create correct keys for nextcloud and enable message-signing, thus improving this answer.
Here is a slightly updated version for nextcloud 15/16:
Open a browser and go to https://kc.example.com. Click on Administration Console. As specified in your docker-compose.yml, Username and Password is admin.
On the top-left of the page you need to create a new Realm. Click Add. Enter my-realm as name. Click Save.
Click on the Keys-tab. Look at the RSA-entry. We will need to copy the Certificate of that line. Click on Certificate and copy-paste the content to a text editor for later use.
Prepare a Private Key and Certificate for Nextcloud
Open a terminal and issue:
OpenSSL req -nodes -new -x509 -keyout private.key -out public.cert
This creates two files: private.key and public.cert which we will need later for the nextcloud service.
Configure Nextcloud
Open a browser and go to https://nc.example.com. As specified in your docker-compose.yml, Username and Password is admin.
You need to activate the SSO & Saml Authenticate which is disabled by default.
Important From here on don't close your current browser window until the setup is tested and running. If you close the browser before everything works you probably not be able to change your settings in nextcloud anymore. In such a case you will need to stop the nextcloud- and nextcloud-db-container, delete their respective folders, recreate them and start all over again.
Click on top-right gear-symbol and the then on the + Apps-sign. On the left now see a Menu-bar with the entry Security. Click it. You now see all security realted apps. Click on the Activate button below the SSO & SAML authentication App.
Click on top-right gear-symbol again and click on Admin. Click on SSO & SAML authentication.
Use the following values:
Attribute to map UID to:username
Enable "Use SAML auth for the Nextcloud desktop clients (requires user re-authentication)"
Copy the content ofpublic.cert into the 'X.509 Certificate'-field
Copy the content ofprivate.key into the 'Private key of Service Provider'-field.
Identifier of the IdP: https://kc.example.com/auth/realms/my-realm
URL Target of the IdP where the SP will send the Authentication Request Message: https://kc.example.com/auth/realms/my-realm/protocol/saml
URL Location of IdP where the SP will send the SLO Request: https://kc.example.com/auth/realms/my-realm/protocol/saml
Public X.509 certificate of the IdP: Copy the certificate from Keycloak from the Keys-tab of my-realm. You will need to add '-----BEGIN CERTIFICATE-----' in front of the key and '-----END CERTIFICATE-----' to the end of it.
In Identity Provider Data:
Attribute, displayname: username
Attribute, email adress: email
Attribute, Quota: nextcloudquota
Click Download metadata XML and save the file for the next step.
Security Settings, enable the following options:
Indicates whether the messages sent by this SP will be signed. [Metadata of the SP will offer this info]
Indicates whether the messages sent by this SP will be signed.
Indicates whether the messages sent by this SP will be signed.
Indicates a requirement for the , and elements received by this SP to be signed.
Indicates a requirement for the elements received by this SP to be signed. [Metadata of the SP will offer this info]
Check there is a Metadata valid beside the Download metadata XML-Button
Click the Download metadata XML-Button. This generate and send a XML file. Save it.
Configure Keycloak, Client
Access the Administror Console again. Click on Clients and on the top-right click on the Create-Button.
Next to Import, Click the Select File-Button. Select the XML-File you've create on the last step in Nextcloud.
Change:
Client SAML Endpoint: https://kc.example.com/auth/realms/my-realm
and click Save.
You are presented with a new screen. Change the following fields:
Name: Nextcloud
Valid Redirect URIs: https://nc.example.com/ *
Click Save
On the Tab Matters:
Click Delete-Button on the preassigned role list
Click Create
Name: username
Mapper Type: User Property
Property: username
SAML Attribute Name: username
SAML Attribute NameFormat: Basic
Click Save
Click Create
Name: email
Mapper Type: User Property
Property: email
SAML Attribute Name: email
SAML Attribute NameFormat: Basic
Click Save
Click Create
Name: Roles
Mapper Type: Role List
Role attribute name: Roles
Friendly Name: roles
SAML Attribute NameFormat: Basic
Single Role Attrubute: On
Click Save
Click Create
Name: nextcloudquota
Mapper Type: User Property
Property: nextcloudquota
SAML Attribute Name: nextcloudquota
SAML Attribute NameFormat: Basic
Click Save
Configure Keycloak, Add user
On the left side, click on Users
On the top-right, click Add users
Set the following values:
Username: user
Email: user#example.com
Click Save
On the tab Credentials:
New Password: user
Password Confirmation: user
Temporary: Off
Click Reset Password
A Window pops up:
Click Change Password
Related
I am able to access my kubernetes dashoard UI by accessing below url and providing the token and hitting sign in button on the login screen
http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/#/workloads?namespace=default
Is there a way I can pass the token via the URL itself so the Dashboard UI opens in logged in state so i don't need to manually past the token and hit sign in?
I am looking for something like this (which was suggested by ChatGPT which unfortunately didn't work, this just opens the login screen again) :
http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/?token=<authentication-token>
We can access the kubernetes dashboard UI by two ways
Bearer
token
KubeConfig
As to answer your question, we can't login by encoding the token in the URL. But we can use Skip option to avoid giving the token every time we login.
To enable the Skip button to appear in UI we need to add following flags in the dashboard deployment under args section
--enable-skip-login
--disable-settings-authorizer
After adding these flags the deployment looks something like this
spec:
containers:
- name: kubernetes-dashboard
image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1
ports:
- containerPort: 8443
protocol: TCP
args:
- --enable-skip-login
- --disable-settings-authorizer
- --auto-generate-certificates
# If not specified, Dashboard will attempt to auto discover the API server and connect
# to it. Uncomment only if the default does not work.
# - --apiserver-host=http://my-address:port
volumeMounts:
Now when you redeploy the dashboard you are able to see the Skip button. By skipping the login will save a lot of time when testing locally deployed clusters.
Note: This is not a suggested method in terms of security standpoint. However, if you are deploying in an isolated testing environment you can proceed with the above steps.
For more information refer this link
I'm creating Java appliation, where I will need users to log in. Currently I'm verifying if I can configure Keycloak safe enough. I'd like to make sure my application is really authenticating users against my Keycloak server - eg I know there is something like DNS Poisining or other attacks, where my application could get to attackers server with duplicated/attackers Keycloak instance. What surprised me, I have currently configuration with follwing keys:
keycloak.auth-server-url=...
keycloak.realm=...
keycloak.resource=...
keycloak.public-client=true
keycloak.security-constraints[0].authRoles[0]=..
keycloak.security-constraints[0].securityCollections[0].patterns[0]=...
keycloak.principal-attribute=preferred_username
and no public key is needed. Even worse here: https://stackoverflow.com/a/40516696/520521 I see upvoted comment telling, my application may download key from (malicious) server.
Are there any extra steps I need to follow, to authenticate Keycloak server before starting to authenticate users against it?
Based on your configuration, it seems that you've defined your client in Keycloak as public. This allows your client to be able to call Keycloak without any authentication. This type of client is used for example when you're going to authenticate via js in webpage in which nothing can be hidden from attacker as they have access to the source of the page.
If you set the "Access Type" of your client to "confidential" (in Client Settings on Keycloak Admin UI) and save the settings, there will appear another tab (next to "Setting" tab of the client) titled "Credentials". There you can see the default secret that is created for your client. You should then put this secret as below in your keycloak.json file inside your application:
"credentials": {
"secret": "paste-the-secret-value-here"
}
You can also re-generate the value by selecting the "Regenerate Secret" button.
You can also change the "Client Authenticator" there and set it to "X509 Certificate". Then you would be asked to define a regular expression to validate the "Subject DN" of the certificate that client will be using for authentication. Any certificate matching that regex would be considered as valid and authenticated. Then you have to setup your client to use such certificate instead of defining the "secret" value in the keycloak.json file.
There is of course another option which uses "Signed JWT" which is also secure and you can find the details about how to set it up in Keycloak documentation at Client Authentication section.
I can't see a word that this is the aim, but seeing where public and private key is placed I understand that answer is, that in realm settings -> keys -> active there is list of keys. You may download public key or certificate with button on right side. In my case of Spring boot, enter application.properties file a public key under keycloak.realm-key.
As I see in this link https://www.keycloak.org/docs/latest/authorization_services/#_overview ,
there should be an authorization tab in client like below image :
but I couldn't find that in keycloak panel as you can see in below image:
ps : I use this image for using keycloak on docker : image: jboss/keycloak
Because your client is public. Set: Access Type: confidential, then enable Authorization Enabled and Save. Refresh page and double check these configured values.
I am getting error to configure the OAuth in the che.property. but I am not able to find the location of the file and the syntax to add the configurations. I am using Ubuntu 18.04
For single-user Che, see https://www.eclipse.org/che/docs/che-7/version-control/#configuring-github-oauth_version-control.
For multi-user Che:
Go to the keycloak page (http://keycloak-che.192.168.99.170.nip.io/)
login as admin
click Identity Providers.
In the Add provider drop-down list, click GitHub. The Add identity provider window is displayed.
In the Add identity provider window:
The Redirect URI field, depending on your Eclipse Che installation,
type the Authorization callback URL.
Copy the client ID and the client secret from GitHub and paste them
in the Client ID and the Client Secret fields, respectively.
In the Homepage URL and the Authorization callback URL field,
depending on your Eclipse Che installation, type the two URLS.
In the Default Scopes field, type repo, user, write:publick_key.
Set Store Tokens and Stored Tokens Readable to ON.
Click Save.
The Success! The github provider has been created. message indicates success. And, the GitHub provider is added to the Identity Providers window.
Perform the following steps to set role mapping for non-administrative users.
Expand the Manage tab and then click Users.
Click the Role Mappings tab.
Click the Client Roles drop-down menu and click broker.
In the Available Roles list, click read-token.
Click Add selected.
In the Effective Roles list, click read-token.
The GitHub OAuth is now set for the user.
I am new in ejbca and I have setup ejbca environment on my local machine
now I want to create user certificates and I want to revoke it from Web UI
Is there any way to create and revoke user certificate in ejbca from Web UI and how we can do it?
Thanks
Steps to create and revoke user certificate from Web UI in ejbca
To create a cert:
Create an End entity on the Web Admin portal.
Go to Public Web of EJBCA and select 'Create Certificate from CSR'
Enter the User name and password of End entity. select the CSR you created using openssl or any other tool..
Click 'OK', cert for the user will get downloaded..
To revoke a cert,
Go to Admin Web
Select 'Search End Entity' under 'RA Functions'
Enter the username and search.
Once the user is found, see if the status is 'generated' (means the cert for user is generated)
Right side to the record, click view certificate.
In the view pop-up, you will find the revovation drop-down, select a reason and click 'revoke.
hope this will help you Cheers...!