Changes

Page history
Update Create Keyloak Server authored by Yi Sun's avatar Yi Sun
Hide whitespace changes
Inline Side-by-side
Create-Keyloak-Server.md
View page @ 2a072a18
Keycloak server is the Identity broker used for BAND. Keycloak server is the Identity broker used for BAND.
The server is a Ubuntu machine.You may need a public IP and proper domain name for your own Keycloak server. The server is a Ubuntu machine.You may need a public IP and proper domain name for your own Keycloak server.
You will need a server ready with proper DNS name for the public facing portal, before configuring keyloak. You will need a server ready with proper DNS name for the public facing portal, before configuring keyloak.
**Installation** **Installation**
1. install docker engine on the machine. [https://www.digitalocean.com/community/tutorials/how-to-install-and-use-docker-on-ubuntu-18-04](https://www.digitalocean.com/community/tutorials/how-to-install-and-use-docker-on-ubuntu-18-04) 1. install docker engine on the machine. [https://www.digitalocean.com/community/tutorials/how-to-install-and-use-docker-on-ubuntu-18-04](https://www.digitalocean.com/community/tutorials/how-to-install-and-use-docker-on-ubuntu-18-04)
2. install nginx 2. install nginx
```text ```text
apt-get update -y & apt-get install -y nginx apt-get update -y & apt-get install -y nginx
``` ```
3\. Obtain SSL certificates from IT or Letsencrypt 3\. get a DNS name from https://docs.egi.eu/users/compute/cloud-compute/dynamic-dns/
3\. Obtain SSL certificates from Letsencrypt or https://certbot.eff.org
4\. create a directory for SSL certificates
```text 4\. create a directory for SSL certificates
mkdir /etc/nginx/certificates
``` ```text
mkdir /etc/nginx/certificates
5\. make sure hostname matches DNS name ```
6\. apt-get install apt-transport-https ca-certificates curl software-properties-common 5\. make sure hostname matches DNS name
7\. pull keycloak container. Note that the currently keycloak version used is 4.5.0Final which is pretty old and due to upgrade. A more recent version would be better, but this will be a future work
6\. apt-get install apt-transport-https ca-certificates curl software-properties-common
docker pull jboss/keycloak 7\. pull keycloak container. Note that the currently keycloak version used is 4.5.0Final which is pretty old and due to upgrade. A more recent version would be better, but this will be a future work
8\. configure nginx. remove default from /etc/nginx/site-enabled, add a file 'ssl' with the below content to /etc/nginx/site-available and enable it. docker pull registry.git.embl.de/grp-cbbcs/band-artifacts/band-keycloak:2911
```text
server { 8\. configure nginx. remove default from /etc/nginx/site-enabled, add a file 'ssl' with the below content to /etc/nginx/site-available and enable it.
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server; ```text
server_name auth.cbbcs.embl.de; server {
root /usr/share/nginx/html; listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
ssl_certificate "CERTIFICATE"; server_name auth.cbbcs.embl.de;
ssl_certificate_key "SERVER KEY"; root /usr/share/nginx/html;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m; ssl_certificate "CERTIFICATE";
ssl_ciphers HIGH:!aNULL:!MD5; ssl_certificate_key "SERVER KEY";
ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
location / { ssl_ciphers HIGH:!aNULL:!MD5;
proxy_pass http://127.0.0.1:8080; ssl_prefer_server_ciphers on;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; location / {
proxy_set_header X-Forwarded-Proto https; proxy_pass http://127.0.0.1:8080;
# proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
} proxy_set_header X-Forwarded-Proto https;
# proxy_set_header Host $host;
error_page 404 /404.html; proxy_set_header X-Real-IP $remote_addr;
location = /40x.html { }
}
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html; location = /40x.html {
location = /50x.html { }
}
} error_page 500 502 503 504 /50x.html;
``` location = /50x.html {
}
**Configuration** }
```
1. start keycloak with the below command, modify PASSWORD for admin user and keycloak image version.
**Configuration**
```text
docker run --name=keycloak -p 8080:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=PASSWORD -e DB_VENDOR=H2 -e PROXY_ADDRESS_FORWARDING=true -e ROOT_LOGLEVEL=ALL -e b=0.0.0.0 quay.io/keycloak/keycloak:13.0.0 & 1. start keycloak with the below command, modify PASSWORD for admin user and keycloak image version.
```
```text
2\. log into the container docker run --name=keycloak -p 8080:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=PASSWORD -e DB_VENDOR=H2 -e PROXY_ADDRESS_FORWARDING=true -e ROOT_LOGLEVEL=ALL -e b=0.0.0.0 quay.io/keycloak/keycloak:13.0.0 &
```
docker exec -it --user root keycloak bash
2\. log into the container
3\. add ldap certificates to keystore (LDAP certificates are self signed certificates generated from the LDAP server.)
docker exec -it --user root keycloak bash
keytool -import -trustcacerts -alias ldap -file LDAP\_CERT -keystore /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.181-3.b13.el7\_5.x86\_64/jre/lib/security/cacerts
3\. add ldap certificates to keystore (LDAP certificates are self signed certificates generated from the LDAP server.)
4\. log out of the container, and restart container
keytool -import -trustcacerts -alias ldap -file LDAP\_CERT -keystore /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.181-3.b13.el7\_5.x86\_64/jre/lib/security/cacerts
docker restart keycloak
4\. log out of the container, and restart container
5\. Configure Google as Identify provider via admin interface.
docker restart keycloak
* redirect URI: [https://YOUR_KEYCLOAK_SERVER/auth/realms/master/broker/google/endpoint](https://YOUR_KEYCLOAK_SERVER//auth/realms/master/broker/google/endpoint)
* google client id: YOUR_GOOGLE_CLIENT_ID 5\. Configure Google as Identify provider via admin interface.
* client secret: YOUR_GOOGLE_CLIENT_SECRET
* in Google developer console, enable Google+ API * redirect URI: [https://YOUR_KEYCLOAK_SERVER/auth/realms/master/broker/google/endpoint](https://YOUR_KEYCLOAK_SERVER//auth/realms/master/broker/google/endpoint)
* on Keycloak Identity Provider interface * google client id: YOUR_GOOGLE_CLIENT_ID
* change to "ON" for Enabled, Store Tokens, Trust Email * client secret: YOUR_GOOGLE_CLIENT_SECRET
* Alias:google * in Google developer console, enable Google+ API
* Display Name: Google * on Keycloak Identity Provider interface
* First Login Flow: EOSC First Broker Login * change to "ON" for Enabled, Store Tokens, Trust Email
* Authorization URL: [https://accounts.google.com/o/oauth2/v2/auth](https://accounts.google.com/o/oauth2/v2/auth) * Alias:google
* Token URL: [https://oauth2.googleapis.com/token](https://oauth2.googleapis.com/token) * Display Name: Google
* Default Scopes: openid email profile * First Login Flow: EOSC First Broker Login
* Permission tab: enabled * Authorization URL: [https://accounts.google.com/o/oauth2/v2/auth](https://accounts.google.com/o/oauth2/v2/auth)
* Token URL: [https://oauth2.googleapis.com/token](https://oauth2.googleapis.com/token)
6\. Configure LSAAI as identity provider via admin interface (Register your service with LSAAI beforehand) * Default Scopes: openid email profile
* Permission tab: enabled
* client id: REFER TO PASSWORD FILE
* client secret: REFER TO PASSWORD FILE 6\. Configure LSAAI as identity provider via admin interface (Register your service with LSAAI beforehand)
* on Keycloak Identity Provider interface
* change to "ON" for Enabled, Store Tokens, Trust Email * client id: REFER TO PASSWORD FILE
* Alias: lsaai * client secret: REFER TO PASSWORD FILE
* Display Name: LS AAI * on Keycloak Identity Provider interface
* First Login Flow: EOSC First Broker Login * change to "ON" for Enabled, Store Tokens, Trust Email
* Authorization URL: https://proxy.aai.lifescience-ri.eu/saml2sp/OIDC/authorization * Alias: lsaai
* Token URL: [https://proxy.aai.lifescience-ri.eu/OIDC/token](https://proxy.aai.lifescience-ri.eu/OIDC/token) * Display Name: LS AAI
* User Info URL: https://proxy.aai.lifescience-ri.eu/OIDC/userinfo * First Login Flow: EOSC First Broker Login
* Default Scopes: openid email profile * Authorization URL: https://proxy.aai.lifescience-ri.eu/saml2sp/OIDC/authorization
* Permission tab: enabled * Token URL: [https://proxy.aai.lifescience-ri.eu/OIDC/token](https://proxy.aai.lifescience-ri.eu/OIDC/token)
* User Info URL: https://proxy.aai.lifescience-ri.eu/OIDC/userinfo
7\. Create your own keyloak login flow extension, compile it as jar file and copy keycloak-flow-extension.jar to /opt/jboss/keycloak/standalone/deployments inside the keycloak container. * Default Scopes: openid email profile
* Permission tab: enabled
This article will be of help on creating keylcoak extensions https://andrebiegel.github.io/projects/2021/08/28/keycloak-extensions.html
7\. Create your own keyloak login flow extension, compile it as jar file and copy keycloak-flow-extension.jar to /opt/jboss/keycloak/standalone/deployments inside the keycloak container.
8\. Create your own login them, and copy it into keycloak container (https://www.keycloak.org/docs/latest/server_development/)
This article will be of help on creating keylcoak extensions https://andrebiegel.github.io/projects/2021/08/28/keycloak-extensions.html
9\. restart keycloak container
8\. Create your own login them, and copy it into keycloak container (https://www.keycloak.org/docs/latest/server_development/)
10.login into the keycloak container, check /etc/hosts. it should contain the correct LDAP server IP
9\. restart keycloak container
**Configuration via Keycloak admin interface**
10.login into the keycloak container, check /etc/hosts. it should contain the correct LDAP server IP
[Refer to Keycload documentations](https://www.keycloak.org/docs/latest/server_admin/)
**Configuration via Keycloak admin interface**
The below steps are examples used in BAND, if your client names are different, change accordingly.
[Refer to Keycload documentations](https://www.keycloak.org/docs/latest/server_admin/)
1. create realm name
1. endpoints: OpenID Endpoint Configuration The below steps are examples used in BAND, if your client names are different, change accordingly.
2. Login tabs: all OFF
3. Themes: name_of_your_theme 1. create realm name
2. create following clients. 1. endpoints: OpenID Endpoint Configuration
1. eosc-client 2. Login tabs: all OFF
1. set to ON for "Enabled, Standard Flow Enabled, Direct Access Grants Enabled", leave the rest OFF 3. Themes: name_of_your_theme
2. Valid redirect URIs: 2. create following clients.
1. https://band.embl.de/* 1. eosc-client
2. https://band.embl.de/eosc/* 1. set to ON for "Enabled, Standard Flow Enabled, Direct Access Grants Enabled", leave the rest OFF
3. https://band.embl.de/eosc/api/linked 2. Valid redirect URIs:
4. create Token Mappers 1. https://band.embl.de/*
* email -> User Property, Token claim: email, Property: email 2. https://band.embl.de/eosc/*
* username ->User Property, Token claim: preferred\_username, Property: username 3. https://band.embl.de/eosc/api/linked
* openid ->RealmProperty, Token claim: openid, Realm role prefix: openid 4. create Token Mappers
* family name ->User Property, Token claim: family\_name, Property: lastName * email -> User Property, Token claim: email, Property: email
* full name -> User's full name * username ->User Property, Token claim: preferred\_username, Property: username
* given name ->User Property, Token claim:given\_name, Property: firstName * openid ->RealmProperty, Token claim: openid, Realm role prefix: openid
2. resource * family name ->User Property, Token claim: family\_name, Property: lastName
1. set to ON for "Enabled, Standard Flow Enabled, Direct Access Grants Enabled, Service Accounts Enabled, authorization Enabled", leave the rest OFF * full name -> User's full name
2. valid redirect URI * given name ->User Property, Token claim:given\_name, Property: firstName
1. https://band.embl.de/* 2. resource
2. https://band.embl.de/kc/api/* 1. set to ON for "Enabled, Standard Flow Enabled, Direct Access Grants Enabled, Service Accounts Enabled, authorization Enabled", leave the rest OFF
3. https://band.embl.de/resource 2. valid redirect URI
4. create Token Mappers (same as eosc-client) 1. https://band.embl.de/*
3. service account roles. eosc and user role are created via Roles page 2. https://band.embl.de/kc/api/*
1. eosc 3. https://band.embl.de/resource
2. user 4. create Token Mappers (same as eosc-client)
3. offline\_access 3. service account roles. eosc and user role are created via Roles page
4. uma\_authorization 1. eosc
4. Scope: full scope allowed 2. user
3. User Federation: 3. offline\_access
1. these are settings connect to ldap server 4. uma\_authorization
1. username LDAP attribute: uid 4. Scope: full scope allowed
2. RDN: cn 3. User Federation:
3. UUID: uid 1. these are settings connect to ldap server
4. User object classes: inetOrgPerson, organizationalPerson 1. username LDAP attribute: uid
5. user DN:ou=users,dc=eosc-life,dc=eu #CHANGE TO YOUR OWN LDAP 2. RDN: cn
6. connection URL: YOUR_LDAP_SERVER_ADDRESS 3. UUID: uid
7. authentication : simple 4. User object classes: inetOrgPerson, organizationalPerson
8. bind DN: cn=admin,dc=eosc-life,dc=eu # CHANGE TO YOUR OWN ADMIN DN 5. user DN:ou=users,dc=eosc-life,dc=eu #CHANGE TO YOUR OWN LDAP
9. bind credential: YOUR_LDAP_BIND_PASSWORD 6. connection URL: YOUR_LDAP_SERVER_ADDRESS
10. custom user ldap filter: (objectClass=posixAccount) 7. authentication : simple
11. search scope: subtree 8. bind DN: cn=admin,dc=eosc-life,dc=eu # CHANGE TO YOUR OWN ADMIN DN
12. use truststore spi: only for ldaps 9. bind credential: YOUR_LDAP_BIND_PASSWORD
13. connection pooling: on 10. custom user ldap filter: (objectClass=posixAccount)
14. pagination: on 11. search scope: subtree
2. create Mappers 12. use truststore spi: only for ldaps
1. gid -> group-ldap-mapper 13. connection pooling: on
1. group dn: ou=groups,dc=eosc-life,dc=eu 14. pagination: on
2. group name attribute: cn 2. create Mappers
3. group object classes: posixGroup 1. gid -> group-ldap-mapper
4. Membership attribute: memberUid 1. group dn: ou=groups,dc=eosc-life,dc=eu
5. membership attribute type: UID 2. group name attribute: cn
6. member user attribute: uid 3. group object classes: posixGroup
7. ldap filter: (objectClass=posixGroup) 4. Membership attribute: memberUid
8. MemberOf ldap attribute: memberOf 5. membership attribute type: UID
9. mode: read\_only 6. member user attribute: uid
10. retrieve strategy: load\_groups\_by\_member\_attribute 7. ldap filter: (objectClass=posixGroup)
2. modify date -> 8. MemberOf ldap attribute: memberOf
1. user model attribute: modifyTimestamp 9. mode: read\_only
2. ldap attribute: modifyTimestamp 10. retrieve strategy: load\_groups\_by\_member\_attribute
3. readonly: on 2. modify date ->
3. email -> 1. user model attribute: modifyTimestamp
1. user model attribute: email 2. ldap attribute: modifyTimestamp
2. ldap attribute: mail 3. readonly: on
3. readonly: on 3. email ->
4. username -> 1. user model attribute: email
1. user model attribute: username 2. ldap attribute: mail
2. ldap attribute: uid 3. readonly: on
3. readonly: on 4. username ->
4. mandatory: on 1. user model attribute: username
5. last name -> 2. ldap attribute: uid
1. user model attribute: lastName 3. readonly: on
2. ldap attribute: sn 4. mandatory: on
3. readonly: on 5. last name ->
4. mandatory: on 1. user model attribute: lastName
6. creation date -> 2. ldap attribute: sn
1. user model attribute: createTimestamp 3. readonly: on
2. ldap attribute: createTimestamp 4. mandatory: on
3. readonly: on 6. creation date ->
7. full name -> 1. user model attribute: createTimestamp
1. full name attribute: cn 2. ldap attribute: createTimestamp
2. readonly :on 3. readonly: on
8. givenName -> 7. full name ->
1. model attribute: firstName 1. full name attribute: cn
2. ldap attribute: givenName 2. readonly :on
3. readonly:on 8. givenName ->
4. mandatory: on 1. model attribute: firstName
4. Authentication 2. ldap attribute: givenName
1. select EOSC First Broker Login from dropdown (If you named your extension differently, select accordingly) 3. readonly:on
2. Create EOSC User If Unique : alternative 4. mandatory: on
3. Link IDP Login: alternative 4. Authentication
1. select EOSC First Broker Login from dropdown (If you named your extension differently, select accordingly)
2. Create EOSC User If Unique : alternative
3. Link IDP Login: alternative
4. Bindings: browser, registration, direct grant, reset credentials, clients 4. Bindings: browser, registration, direct grant, reset credentials, clients
\ No newline at end of file