Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

External Authentication with SAML #139

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

External Authentication with SAML #139

wants to merge 6 commits into from

Conversation

napat1412
Copy link

I upgrade keyrock to support Single Sign On. User can sign-in by using idp with SAML. When admin enable external_user_sso (this feature), user can sign-in with with SAML to setup local password in SQL database. After that user has 2 way to sign-in. (1 sign-in with local password 2 sign-in with SAML).

I use keycloak as idp, and setup 2 mappers for SAML client.

Name: username, Type: User Property, Property: username
Name: email, Type: User Property, Property: email
I appreciate if you merge this code or rewrite it to keyrock because i really need this feature (external user can sign-in with SAML or open-id-conect).

External Authentication with SAML

You can also configure the Identity Manager to authenticate users through an
external user in identity provider(idp).

When using this option, after the user correclty authenticates using his/her
remote credentials, a local copy of the user is created. For authenticating the
user externally Keyrock needs to read a set of user attributes from the SAML profile.
These SAML profile are:

  • username: the display name of the user.

  • email: the email address is the value used for authenticating the user.

For keycloak configuration(v4.8.3 Final), you create SAML client, and config

  • Valid Redirect URIs to keyrock server.
  • Assertion Consumer Service POST Binding URL to keyrock server.
  • IDP Initiated SSO URL Name to create SAML entry point (URL).
    then config mapper in keycloak for SAML profile.

An example of this configuration is:

config.external_user_sso = {
    enabled:     true,
    entry_point: 'https://{{keycloak-server}}/auth/realms/smartcity/protocol/saml/clients/keyrock'),
    issuer:      'keyrock')
}

An example of keycloak configuration is:

client configuration

-   Valid Redirect URIs: https://{{keyrock-server}}:3005.
-   Assertion Consumer Service POST Binding URL: https://{{keyrock-server}}:3005.
-   IDP Initiated SSO URL Name: keyrock. 
    (You will got Target IDP initiated SSO URL: https://{{keyrock-server}}/auth/realms/smartcity/protocol/saml/clients/keyrock)

mapper configuration

-   username: the display name of the user.
    (For Keycloak Mapper, Name: username, Type: User Property, Property: username)
    
-   email: the email address is the value used for authenticating the user.
    (For Keycloak Mapper, Name: email, Type: User Property, Property: email)

@napat1412 napat1412 mentioned this pull request Feb 26, 2020
Closed
@napat1412
Copy link
Author

@aalonsog @apozohue10 I appreciate if you merge this code or rewrite it to keyrock because i really need this feature (external user can sign-in with SAML or open-id-conect).

@apozohue10
Copy link
Contributor

Hi, i will analyze as Keyrock actually is an SSO itself and it also allows usersto log in from other services by using the external database authentication functionality

@napat1412
Copy link
Author

napat1412 commented Apr 22, 2020
edited
Loading

Hi, i will analyze as Keyrock actually is an SSO itself and it also allows usersto log in from other services by using the external database authentication functionality

If user have more choice for external login such as SSO with SAML.
It's better for Keyrock. isn't it?
1587531015490

In my case, i try to use external database for login to Keyrock. It use same password (single password). But it's not Single Sign-On. I must create new database user for allow Keyrock to access database. I think the external database authentication functionality is not fit enough for Keyrock.

Please rewrite my code and merge to your project.

@apozohue10
Copy link
Contributor

Hi again @napat1412,

sorry for the delay in answering and thanks for your contribution. I have been reviewing your PR and I think it would be interesting to integrate this functionality in Keyrock. However, I think that It should be each application which should decide to enable or not the SSO authentication with SAML. I mean, the SSO you have proposed is for sign in directly on Keyrock instead of the application. So, the SSO button should be moved to the OAuth view and there should be some kind form to enable this SSO when registering the application.

You have an example of what i mean in the documentation. We developed years ago a SAML authentication with eIDAS. You can enable this kind of authentication when registering an application. So, when the application redirects to Keyrock using OAuth2.0 in order to perform the authentication, the user could authenticate through eIDAS or Keyrock itself.

@apozohue10
Copy link
Contributor

Pending to merge in the future. Could you firm the CLA?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@napat1412 @apozohue10