Example of Cyclone Federation provider together with Wordpress and SSH server. For demonstration purposes
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
components
data/keycloak/exports
docs
.gitignore
README.md
docker-compose.yml

README.md

Cyclone Federation Provider

Components:

Keycloak in combination with MongoDB and SimpleSamlPHP as a samlbridge.

Please see the documentation for Keycloak, MongoDB, SimpleSamlPHP and Docker for more information.

Provider connection architecture

![architecture] (https://raw.githubusercontent.com/cyclone-project/cyclone-federation-provider/master/docs/cyclone-diagram.png)

Configuration

Configure Keycloak and SimpleSamlPHP by editing the files in components/keycloak/config or components/samlbridge/config respectively.

The Keycloak database is persisted (by default) in data/keycloak/db. Import configuration for keycloak by adding the keycloak-export.json to data/keycloak/exports and editing docker-compose.yml.

The provided keycloak-export.json includes:

Default Users for Keycloak:

Username Password
admin admin
owner owner
user user
guest guest

Default Clients for Keycloak:

Client Id Redirect Uri
slipstream *
portal *
test *

Deployment

Build and run with Docker and Docker Compose by executing docker-compose up.

By default, Keycloak listens at http://localhost:9080 and SimpleSamlPHP at http://localhost:8080/samlbridge

Authn/Authz with keycloak

NOTE: Underlying standard is OpenId-Connect, specifically the Authorization Code Flow.

  1. User tries to access a protected resource.

  2. User is redirected to: http(s)://(keycloak)/auth/realms/(realm)/protocol/openid-connect/auth?client_id=(client_id)&redirect_uri=(redirect_uri)&response_type=code

  3. User login happens with any of the methods supported by keycloak.

  4. After successful login, user is redirected to (redirect_uri) with a code: (redirect_uri)/?code=(code)

  5. Use this code to retrieve a set of JSON Web Tokens (JWT):

    POST /auth/realms/(realm)/protocol/openid-connect/token
    Content-Type: application/x-www-form-urlencoded

    grant_type: authorization_code
    code: (code)
    redirect_uri: (redirect_uri)
    client_id: (client_id)


    Response:
    {
        "access_token": (base64 encoded JWT),
        "expires_in": (time),
        "refresh_token": (base64 encoded JWT),
        "refresh_expires_in": (time),
        "token_type": "bearer",
        "id_token": (base64 encoded JWT),
        "not-before-policy": (policy),
        "session-state": (session-state)
    }
  1. Refresh set of tokens, as necessary:
    POST /auth/realms/(realm)/protocol/openid-connect/token
    Content-Type: application/x-www-form-urlencoded

    grant_type : refresh_token
    refresh_token : (refresh_token)
    redirect_uri : (redirect_uri)
    client_id : (client_id)


    Response:
    {
        "access_token": (base64 encoded JWT),
        "expires_in": (time),
        "refresh_token": (base64 encoded JWT),
        "refresh_expires_in": (time),
        "token_type": "bearer",
        "id_token": (base64 encoded JWT),
        "not-before-policy": (policy),
        "session-state": (session-state)
    }
  1. Log out by redirecting the user to: http(s)://(keycloak)/auth/realms/(realm)/tokens/logout?redirect_uri=(redirect_uri)