You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In order to have keycloak work with jans , there are a few resources that need creation/instantiation during installation,
Some have been done already , but this issue tracks what's left over.
1. Janssen
1.1. Create a client used only for SAML authentication.
In janssen-auth, please create a client:
client name: kc_saml_openid
description: Keycloak OpenID client used for SAML authentication
authentication method: client_secret_basic. Will be changed to private_key_jwt eventually.
active: yes
Save the clientid as it will be used at a later time
1.2. Create a client used only for API access by the keycloak scheduler
In janssen-auth please create a client:
- client name: kc_scheduler_api
- description: keycloak scheduler openid client used to obtain API keys to invoke the config-api
-authentication method: client_secret_basic. Will be changed to private_key eventually
- response type: token
- Application type: native
- Redirect uri: https://<server_url>/realms/jans/dev/null
- scopes: http://jans.io/idp/saml.write, http://jans.io/idp/saml.readonly, http://jans.io/oauth/config/saml.readonly, http://jans.io/oauth/config/saml.write, http://jans.io/oauth/config/attributes.readonly
- active: yes
1.3. Create a client used only for authentication from the master realm (optional).
This client will be used only to authenticate users in the master realm that want to access the keycloak admin console.
In janssen-auth please create a client:
- client name: kc_master_auth
- description: keycloak master realm client used to authenticate administrators
-authentication method: client_secret_basic. Will be changed to private_key eventually
- response type: code , token
- Application type: web
- Redirect uri: https://<server_url>/realms/master/kc-jans-authn-rest-bridge/auth-complete
- scopes: email , user_name , openid
- active: yes
2. Keycloak
The following commands will assume the command for authentication has already been run
2.1. Create authentication flow in the jans realm used for saml clients
Run the following command:
/opt/keycloak/bin/kcadm.sh create authentication/flows -r jans -f jans.browser-auth-flow.json --config /opt/keycloak/conf/kcadmn-jans.config
The file jans.browser-auth-flow.json is provided with this ticket. This commands creates an authentication flow called janssen login
Which can be seen under Authentication in the realm jans.
A response of the form will be returned:
Created new flow with id '62b4ea41-71cb-4bd6-be0a-41c9bc97e187'
Save/parse the id in the response
2.2. Add execution steps to the flow created in the jans realm.
Run the following commands:
/opt/keycloak/bin/kcadm.sh create authentication/executions -r jans -f jans.execution-auth-cookie.json --config /opt/keycloak/conf/kcadmn-jans.config
/opt/keycloak/bin/kcadm.sh create authentication/executions -r jans -f ~/Projects/Gluu/kcadmin/jans.execution-auth-jans.json --config /opt/keycloak/conf/kcadmn-jans.config
Please make sure the parentFlow key in the files jans.execution-auth-cookie.json and jans.execution-auth-jans.json are replaced by the flow id obtained in 2.1.
Also both commands, but most importantly , the last one, will return a response of the form
Created new execution with id '62b4ea41-71cb-4bd6-be0a-41c9bc97e187'
Please note the id for the last one as it will be used in the next step
2.3. Configure the jans auth execution step in realm jans
Run the following command:
/opt/keycloak/bin/kcadm.sh create authentication/executions/ae4a3323-390e-4707-8ef6-4d4ddd9197c0/config -r jans -f jans.execution-config-jans.json --config /opt/keycloak/conf/kcadmn-jans.config
Replace the value in the command ae4a3323-390e-4707-8ef6-4d4ddd9197c0 with the id obtained from running the second command
in 2.2.
In the file jans.execution-config-jans.json, please replace the values found there as follows:
jans.auth.server.url should contain the url our janssen instance , with no suffix. Maybe in the future we can change it to point directly
to the janssen authorization url.
jans.auth.client.id should contain the client id of the client created in 1.1
jans.auth.client.secret should contain the secret of the client created in 1.1
jans.auth.issuer should contain the url of our janssen instance
jans.auth.extra_scopes should be left to null for now
2.4. Create authentication flow in the master realm (optional)
Same as 2.1 but replace the realm -r jans in the command to -r master
2.5. Add execution steps to the flow created in the master realm. (optional)
Same as in 2.2 but again , replace references to the jans realm with the master realm in the commands
and use the id reference created in 2.4.
2.6 Configure the jans auth execution step in realm jans (optional)
Same as in 2.3 but again, replace references to the jans realm with the master realm. Also important difference in
the jans.execution-config-jans.json file:
jans.auth.server.url should contain the url our janssen instance , with no suffix. Maybe in the future we can change it to point directly
to the janssen authorization url.
jans.auth.client.id should contain the client id of the client created in 1.3
jans.auth.client.secret should contain the secret of the client created in 1.3
jans.auth.issuer should contain the url of our janssen instance
jans.auth.extra_scopes should be left to null for now
uprightech
changed the title
feat(keycloak-integration): resource provisioning on both jans-auh and keycloak at deploy time
feat(keycloak-integration): resource provisioning on both jans-auth and keycloak at deploy time
May 3, 2024
In order to have keycloak work with jans , there are a few resources that need creation/instantiation during installation,
Some have been done already , but this issue tracks what's left over.
1. Janssen
1.1. Create a client used only for SAML authentication.
In
janssen-auth
, please create a client:client_secret_basic
. Will be changed toprivate_key_jwt
eventually.code
,token
web
Save the clientid as it will be used at a later time
1.2. Create a client used only for API access by the keycloak scheduler
In
janssen-auth
please create a client:- client name:
kc_scheduler_api
- description: keycloak scheduler openid client used to obtain API keys to invoke the config-api
-authentication method:
client_secret_basic
. Will be changed toprivate_key
eventually- response type:
token
- Application type:
native
- Redirect uri: https://<server_url>/realms/jans/dev/null
- scopes:
http://jans.io/idp/saml.write
,http://jans.io/idp/saml.readonly
,http://jans.io/oauth/config/saml.readonly
,http://jans.io/oauth/config/saml.write
,http://jans.io/oauth/config/attributes.readonly
- active: yes
1.3. Create a client used only for authentication from the master realm (optional).
This client will be used only to authenticate users in the master realm that want to access the keycloak admin console.
In
janssen-auth
please create a client:- client name:
kc_master_auth
- description: keycloak master realm client used to authenticate administrators
-authentication method:
client_secret_basic
. Will be changed toprivate_key
eventually- response type:
code
,token
- Application type:
web
- Redirect uri: https://<server_url>/realms/master/kc-jans-authn-rest-bridge/auth-complete
- scopes: email , user_name , openid
- active: yes
2. Keycloak
The following commands will assume the command for authentication has already been run
2.1. Create authentication flow in the
jans
realm used for saml clientsRun the following command:
The file
jans.browser-auth-flow.json
is provided with this ticket. This commands creates an authentication flow calledjanssen login
Which can be seen under
Authentication
in the realmjans
.A response of the form will be returned:
Save/parse the
id
in the response2.2. Add execution steps to the flow created in the
jans
realm.Run the following commands:
Please make sure the
parentFlow
key in the filesjans.execution-auth-cookie.json
andjans.execution-auth-jans.json
are replaced by the flow id obtained in2.1
.Also both commands, but most importantly , the last one, will return a response of the form
Please note the id for the last one as it will be used in the next step
2.3. Configure the jans auth execution step in realm
jans
Run the following command:
Replace the value in the command
ae4a3323-390e-4707-8ef6-4d4ddd9197c0
with the id obtained from running the second commandin
2.2
.In the file
jans.execution-config-jans.json
, please replace the values found there as follows:jans.auth.server.url
should contain the url our janssen instance , with no suffix. Maybe in the future we can change it to point directlyto the janssen authorization url.
jans.auth.client.id
should contain the client id of the client created in1.1
jans.auth.client.secret
should contain the secret of the client created in1.1
jans.auth.issuer
should contain the url of our janssen instancejans.auth.extra_scopes
should be left tonull
for now2.4. Create authentication flow in the
master
realm (optional)Same as
2.1
but replace the realm-r jans
in the command to-r master
2.5. Add execution steps to the flow created in the
master
realm. (optional)Same as in
2.2
but again , replace references to thejans
realm with themaster
realm in the commandsand use the
id
reference created in2.4
.2.6 Configure the jans auth execution step in realm
jans
(optional)Same as in
2.3
but again, replace references to thejans
realm with themaster
realm. Also important difference inthe
jans.execution-config-jans.json
file:jans.auth.server.url
should contain the url our janssen instance , with no suffix. Maybe in the future we can change it to point directlyto the janssen authorization url.
jans.auth.client.id
should contain the client id of the client created in1.3
jans.auth.client.secret
should contain the secret of the client created in1.3
jans.auth.issuer
should contain the url of our janssen instancejans.auth.extra_scopes
should be left tonull
for nowFiles
Files to use as reference
jans.browser-auth-flow.json
jans.execution-auth-cookie.json
jans.execution-auth-jans.json
jans.execution-config-jans.json
The text was updated successfully, but these errors were encountered: