New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Guidance needed for setting up PHPIPAM with Keycloak for SAML2 Authentication #3860
Comments
I'm running a newer version of Keycloak, so your mileage might vary, but this it how I did it. When creating a client, just give it a name and an ID. IDP issuer is: Then on Keycloak go to Realm settings and click on SAML 2.0 Identity Provider Metadata. It will open an XML file. There you will find the IDP X.509 public cert of your Keycloak instance under Enable Sign Authn requests. Now, you will need to generate a key for phpipam. The easiest way is from Keycloak, go to Clients > select your client > Keys (tab) and hit Regenerate: the key in the text field is the Authn X.509 signing cert, the file Keycloak prompts you to download is the Authn X.509 signing cert key. Copy both to phpipam. Finally, from you client settings tab in Keycloak add You should be good to go. I'm using HTTPS because I have certificates, but they may not be necessary. |
Hi! Thanks @SamuelePilleri for your advice! It really helped me move forwards! I had two other tweaks I had to make, one was where I had to add a role mapper from Keycloak, and I also had to disable JIT, as I couldn't figure out how to get keycloak to send the display name. Any hints on this element? You were right, by the way, Samuele - the version of keycloak is pretty old - I've just not got around to upgrading that yet!! |
Attributes such as display name should be a claim in IdM jargon. The doc states the IdP (ie. Keycloak) should send a Hope this helps, let us know if you manage to get it working! 💪 |
Thanks to everyone involved in PHPIPAM and in particular @SamuelePilleri. I wrote this up in a blog post. I hope it's useful! My post: IP Address Management using PHPIPAM integrated with Keycloak for SAML2 Authentication |
Here's one way to deliver modules!
|
I have a Keycloak server and a recently installed phpipam server. I would like to use the Keycloak server to provide SSO to PHPIPAM. I've tried several routes to get it working, and none of them have, so far! Could someone help out with what, if anything, I'm doing wrong? :)
In Keycloak I created a new client like this:
So, is this the right endpoint address:
https://<SOME.PHPIPAM.SERVER/saml2/
?If I don't specify the client ID as
urn:<somekey>:<somekey>
it doesn't render in the list of SSO options later. I've noticed other screenshots (in particular, the one from @GaryAllan in a response in issue 3013 showsHttps://phpipam.*******.com
so I'm not sure if this is a quirk of my keycloak or if there's something else wacky going on!Clicking save on that takes me to this page:
I've set the
Valid Redirect URLs
tohttps://phpipam.example.org/*
and I've made a note of the SAML signing keys (certificate and key) from the SAML keys tab.Having done all that, I then went into PHPIPAM, and created a new authentication source;
I set the client ID to the same as I created in Keycloak (urn:phpipam:phpipam), and am aware of the SAML signing keys, however I've guessed at the IDP provider fields and am not at all clear on where to get the IDP public cert, especially as it's been signed by LetsEncrypt - so do we need to get this? The key I would have used is wrapped in
-----BEGIN/END CERTIFICATE-----
but that doesn't feel right!I do have pretty url mode switched on, so we can do strict mode#3859
I'm sorry if it feels like I'm asking for a lot here, but I'm just completely stumped on these values, and the previous tools I've used to create Keycloak's SAML connections have all had a file provided (e.g. https://signin.aws.amazon.com/static/saml-metadata.xml) that naturally makes life a lot easier!
The text was updated successfully, but these errors were encountered: