Demonstrate:
- Standing up an Identity Provider (IDP)(user login provider)
- Import users from an LDAP instance via User Federation
- Connect a SAML Service Provider to support user authentication
- (hopefully) Use SAML auth to create OAuth JWT token
Some docs to help understand SAML and OAuth:
- Standup Identity Provider (Complete)
- Connect to IDP with 'Service Provider' for SSO (Complete)
- Identity Provider provides OAuth token (Complete)
- Hook up Reverse-Proxy to handle API token validation (using 'forward-auth')
Future:
This repo will use an LDAP instance which contains a pre-populated set of 'people'.
LDAP things:
dc=planetexpress,dc=com
ou=people,dc=planetexpress,dc=com
cn=Hubert J. Farnsworth,ou=people,dc=planetexpress,dc=com
Using KeyCloak as the Idenity Provider https://github.com/jboss-dockerfiles/keycloak
Configuring the Image: https://github.com/jboss-dockerfiles/keycloak/blob/master/server/README.md
First:
docker-compose up
Wait for the services to spin up. This may take a minute.
Go to http://localhost:8080
Then:
- Open KeyCloak Admin console
- Go to "User Federation"
- "Add Provider" > "ldap"
- Add configuration details
- Vendor: "Other"
- Connection Url: "LDAP://ldap"
- Users DN: "ou=people,dc=planetexpress,dc=com"
- Bind DN: "cn=admin,dc=planetexpress,dc=com"
- Bind Credential: "GoodNewsEveryone"
- Test the "Connection URL"
- Test the Authentication
- Save
- "Syncronize all users"
- Go to "Manage" > "Users" on the left panel > Click "View all users"
You should see the users that have been added! Success!
Incomplete:
This configuration needs to be improved, it may not be completely correct.
-
Go to Configure > Clients
-
Select "Create"
- "Client ID": "demo"
- "Client Protocol": "saml"
- "Client SAML Endpoint": "http://localhost:3000/"
-
"Save"
-
Update properties:
- "IDP Initiated SSO URL Name": "demo"
- "Sign Assertion" true
- "Encrypt Assertions: false - This needs to be off for now
-
Update "Fine Grain SAML Endpoint Configuration" properties
- "Assertion Consumer Service POST Binding URL": "http://localhost:3000/assert"
- "Logout Service POST Binding URL": "http://localhost:3000/logout"
-
Save
-
Once created, go into "SAML Keys" tab
-
Copy the certificate key to
service-provider/cert-file.crt
and the private key toservice-provider/key-file.pem
-
Then go to
Configure > Realm Settings > Keys > RSA256 > Certificate
and copy the cert toservice-provider/cert-file-idp.crt
- Go to Configure > Clients
- Select "Create"
- Client Id = "demo-oauth"
- Client Protocol = "openid-connect"
- Root Url: "http://localhost:8080/auth"
- Save
- "Valid Redirect URIs" : http://localhost:3001/
To look at: