Categories
IdP Kerberos Keycloak Linux Shibboleth Simplesamlphp SingleSignOn SSO

Single Sign On (SSO) with Keycloak

I’ve been running SAML based SSO using Simplesamlphp for some time now. While its PHP based approach is very flexible (and configuration is easy compared to Java-based Shibboleth) there are still quite some things you need to know to get started.

Keycloak is an alternative that’s not as flexible to use (as far as I’ve seen right now), but is quite straight-forward to administer (as long as the provided backends match your requirements.

For me there are three things I require from a SAML identity provide (IdP):

  • Authentication against LDAP / Active Directory backend (Samba-based)
  • Option to activate kerberos authentication
  • Option to use a federated login

All those requirements were provided by Keycloak – so it was definitely worth a try.

To achieve a quick start I used the provided docker image from Quay.io.

Shortly after my first tests (with Wildfly-based version 16.x.x) version 17.0.0 (Quarkus-based) was released. This also resulted in changes of the docker environment, so make sure to use version 17.x.x when trying to reproduce my setup.

linux # docker pull quay.io/keycloak/keycloak:latest
linux # docker start --add-host host.docker.internal:host-gateway -p 8081:8080 --env-file=/etc/default/docker-keycloak quay.io/keycloak/keycloak:latestquay.io/keycloak/keycloak:latest start-dev

Most of the basic settings can be provided by an environment file (in my case located at /etc/default/docker-keycloak):

KEYCLOAK_ADMIN=admin
KEYCLOAK_ADMIN_PASSWORD=Super_Secure_Admin_Password KC_PROXY=edge
KC_METRICS_ENABLED=true
KC_FEATURES=token-exchange
KC_DB=postgres
KC_DB_URL=jdbc:postgresql://172.17.0.1/keycloak
KC_DB_USERNAME=keycloak
KC_DB_PASSWORD=Super_Secure_PSQL_Password
KC_HOSTNAME=keycloak.mydomain.de

Make sure to have your database accessible from your docker containers. By default the host machine is reachable via IP 172.17.0.1 from your docker container, however this may vary with your setup.

Also mind the “start-dev” option to enable development mode. This is not recommended for production purposes but makes setup much easier (especially if you’re running it behind a reverse proxy handling the SSL traffic as I do (s. environment variable KC_PROXY=edge).

Stay tuned for more …