├── .editorconfig
├── CHANGELOG.md
├── CONTRIBUTING.md
├── LICENSE
├── README.md
├── assets
    └── keycloak-sso-configs.png
├── example.ldif
├── flectra
    ├── README.md
    └── client.json
├── gitlab
    └── README.md
├── nextcloud
    ├── README.md
    ├── client.json
    └── nextcloud-settings.png
└── rancher2
    ├── README.md
    └── client.json


/.editorconfig:
--------------------------------------------------------------------------------
 1 | root = true
 2 | 
 3 | [*]
 4 | end_of_line = lf
 5 | indent_size = 2
 6 | indent_style = space
 7 | insert_final_newline = true
 8 | trim_trailing_whitespace = true
 9 | 
10 | [*.{html,css,less,sass,scss}]
11 | charset = utf-8
12 | 
13 | [*.{js,jsx,json}]
14 | charset = utf-8
15 | 
16 | [*.md]
17 | charset = utf-8
18 | trim_trailing_whitespace = false
19 | 
20 | [{m,M}akefile]
21 | charset = utf-8
22 | indent_style = tab
23 | 


--------------------------------------------------------------------------------
/CHANGELOG.md:
--------------------------------------------------------------------------------
 1 | # Changelog
 2 | 
 3 | All notable changes to this project will be documented in this file.
 4 | 
 5 | The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 6 | and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 7 | 
 8 | ## [0.0.1] - 2019-10-21
 9 | ### Added
10 | - Initial release
11 | 


--------------------------------------------------------------------------------
/CONTRIBUTING.md:
--------------------------------------------------------------------------------
 1 | # Contributing
 2 | 
 3 | We accept contributions of every kind: documentation, code, artwork. Any help is greatly
 4 | appreciated. This document contains everything needed to get started with your first contribution.
 5 | 
 6 | 
 7 | ## Contributing Code
 8 | 
 9 | We keep the source code on [GitHub](https://www.github.com) and take contributions through
10 | [GitHub pull requests](https://help.github.com/articles/using-pull-requests).
11 | 
12 | For smaller patches and bug fixes just go ahead and either report an issue or submit a pull
13 | request.
14 | 
15 | It is usually a good idea to discuss major changes with the developers, this will help us
16 | determine whether the contribution would be a good fit for the project and if it is likely to be
17 | accepted. There's nothing worse than seeing your hard work being rejected because it falls outside
18 | of the scope of the project.
19 | 
20 | Make sure your editor respects the [EditorConfig](http://editorconfig.org) configuration file we
21 | put at the root of the repository.
22 | 
23 | We follow [GitHub Flow](http://scottchacon.com/2011/08/31/github-flow.html) as our git workflow of
24 | choice which boils down to:
25 | 
26 | * The `master` branch is always stable and deployable.
27 | * To work on something new, branch off `master` and give the new branch a descriptive name (e.g.:
28 |   `sort-packages-by-name`, `issue-32`, etc).
29 | * Regularly __rebase__ that branch against `master` and push your work to a branch with the same
30 |   name on the server.
31 | * When you need feedback, help or think you are ready,
32 |   [submit a pull request](https://help.github.com/articles/using-pull-requests).
33 | * Once the branch has been merged (or rebased) into `master`, delete it from both your local and
34 |   remote repository.
35 | 
36 | We invite you to follow
37 | [these guidelines](http://who-t.blogspot.de/2009/12/on-commit-messages.html) to write useful
38 | commit messages.
39 | 
40 | Additionally, you don't need to add entries to the [CHANGELOG.md](CHANGELOG.md) file, this is our
41 | responsibility.
42 | 
43 | 
44 | ## Reading List
45 | 
46 | * [GitHub Flow](http://scottchacon.com/2011/08/31/github-flow.html)
47 | * [Keep a Changelog](http://keepachangelog.com/)
48 | * [On Commit Messages](http://who-t.blogspot.de/2009/12/on-commit-messages.html)
49 | * [Semantic Versioning](http://semver.org/)
50 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | The MIT License (MIT)
 2 | 
 3 | Copyright (c) 2019 Jam Risser <jam@codejam.ninja> (https://codejam.ninja)
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in
13 | all copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
21 | THE SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # keycloak-sso-configs
 2 | 
 3 | [![GitHub stars](https://img.shields.io/github/stars/codejamninja/keycloak-sso-configs.svg?style=social&label=Stars)](https://github.com/codejamninja/keycloak-sso-configs)
 4 | 
 5 | > common keycloak single sign on configurations
 6 | 
 7 | ![](assets/keycloak-sso-configs.png)
 8 | 
 9 | Please ★ this repo if you found it useful ★ ★ ★
10 | 
11 | ![](assets/keycloak-sso-configs)
12 | 
13 | ## Features
14 | 
15 | * saml
16 | * openid
17 | * oauth
18 | 
19 | 
20 | ## Dependencies
21 | 
22 | * [KeyCloak](https://www.keycloak.org)
23 | 
24 | 
25 | ## Usage
26 | 
27 | [Contribute](https://github.com/codejamninja/keycloak-sso-configs/blob/master/CONTRIBUTING.md) usage docs
28 | 
29 | 
30 | ## Support
31 | 
32 | Submit an [issue](https://github.com/codejamninja/keycloak-sso-configs/issues/new)
33 | 
34 | 
35 | ## Screenshots
36 | 
37 | [Contribute](https://github.com/codejamninja/keycloak-sso-configs/blob/master/CONTRIBUTING.md) a screenshot
38 | 
39 | 
40 | ## Contributing
41 | 
42 | Review the [guidelines for contributing](https://github.com/codejamninja/keycloak-sso-configs/blob/master/CONTRIBUTING.md)
43 | 
44 | 
45 | ## License
46 | 
47 | [MIT License](https://github.com/codejamninja/keycloak-sso-configs/blob/master/LICENSE)
48 | 
49 | [Jam Risser](https://codejam.ninja) © 2019
50 | 
51 | 
52 | ## Changelog
53 | 
54 | Review the [changelog](https://github.com/codejamninja/keycloak-sso-configs/blob/master/CHANGELOG.md)
55 | 
56 | 
57 | ## Credits
58 | 
59 | * [Jam Risser](https://codejam.ninja) - Author
60 | 
61 | 
62 | ## Support on Liberapay
63 | 
64 | A ridiculous amount of coffee ☕ ☕ ☕ was consumed in the process of building this project.
65 | 
66 | [Add some fuel](https://liberapay.com/codejamninja/donate) if you'd like to keep me going!
67 | 
68 | [![Liberapay receiving](https://img.shields.io/liberapay/receives/codejamninja.svg?style=flat-square)](https://liberapay.com/codejamninja/donate)
69 | [![Liberapay patrons](https://img.shields.io/liberapay/patrons/codejamninja.svg?style=flat-square)](https://liberapay.com/codejamninja/donate)
70 | 


--------------------------------------------------------------------------------
/assets/keycloak-sso-configs.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/clayrisser/keycloak-sso-configs/35554f264c395fe1b25f068c55bb0c9f5d3277b1/assets/keycloak-sso-configs.png


--------------------------------------------------------------------------------
/example.ldif:
--------------------------------------------------------------------------------
 1 | # dc=example,dc=com
 2 | # ├─ cn=admin
 3 | # ├─ ou=accounts
 4 | # │  ├─ uid=jsmith
 5 | # ├─ ou=roles
 6 | # │  ├─ cn=admin
 7 | 
 8 | version: 1
 9 | 
10 | # ORGANIZATION
11 | dn: dc=example,dc=com
12 | objectClass: dcObject
13 | objectClass: organization
14 | objectClass: top
15 | dc: example
16 | o: Example
17 | 
18 | # LDAP ADMIN
19 | dn: cn=admin,dc=example,dc=com
20 | objectClass: organizationalRole
21 | objectClass: simpleSecurityObject
22 | cn: admin
23 | userPassword: <SOME_PASSWORD_HASH>
24 | description: LDAP administrator
25 | 
26 | # ROLES
27 | dn: ou=roles,dc=example,dc=com
28 | objectClass: organizationalUnit
29 | objectClass: top
30 | ou: roles
31 | 
32 | # USER ROLE
33 | dn: cn=admin,ou=roles,dc=example,dc=com
34 | objectClass: groupOfNames
35 | objectClass: top
36 | cn: admin
37 | member: uid=jsmith,ou=accounts,dc=example,dc=com
38 | 
39 | # ACCOUNTS
40 | dn: ou=accounts,dc=example,dc=com
41 | objectClass: organizationalUnit
42 | objectClass: top
43 | ou: accounts
44 | 
45 | # USER ACCOUNT
46 | dn: uid=jsmith,ou=accounts,dc=example,dc=com
47 | objectClass: PostfixBookMailAccount
48 | objectClass: inetOrgPerson
49 | objectClass: organizationalPerson
50 | objectClass: person
51 | objectClass: top
52 | cn: John
53 | sn: Smith
54 | mail: jsmith@example.com
55 | uid: jsmith
56 | mailEnabled: TRUE
57 | userPassword: {CRYPT}<SOME_PASSWORD_HASH>
58 | 


--------------------------------------------------------------------------------
/flectra/README.md:
--------------------------------------------------------------------------------
 1 | ## Configure Keycloak
 2 | 
 3 | ## Configure Flectra
 4 | 
 5 | https://odoo-community.org/shop/product/keycloak-auth-integration-4530
 6 | 
 7 | https://gitlab.com/flectra-hq/developer-tools
 8 | 
 9 | **General Settings** -> **Integrations** -> **OAuth Authentication**
10 | 
11 | | Key                | Value                                                                                      |
12 | | ------------------ | ------------------------------------------------------------------------------------------ |
13 | | Provider name      | `Keycloak`                                                                                 |
14 | | Client ID          | `hq.siliconhills.dev`                                                                      |
15 | | Client Secret      | `some-client-id`                                                                           |
16 | | Allowed Body       | `Log in with Keycloak`                                                                     |
17 | | Authentication URL | `https://keycloak.example.com/auth/realms/master/protocol/openid-connect/auth`             |
18 | | Scope              |                                                                                            |
19 | | Validation URL     | `https://keycloak.example.com/auth/realms/master/protocol/openid-connect/token/introspect` |
20 | | Data URL           | `https://keycloak.example.com/auth/realms/master/protocol/openid-connect/userinfo`         |
21 | 


--------------------------------------------------------------------------------
/flectra/client.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "clientId": "flectra.example.com",
 3 |   "surrogateAuthRequired": false,
 4 |   "enabled": true,
 5 |   "clientAuthenticatorType": "client-secret",
 6 |   "redirectUris": ["*"],
 7 |   "webOrigins": [],
 8 |   "notBefore": 0,
 9 |   "bearerOnly": false,
10 |   "consentRequired": false,
11 |   "standardFlowEnabled": true,
12 |   "implicitFlowEnabled": true,
13 |   "directAccessGrantsEnabled": true,
14 |   "serviceAccountsEnabled": false,
15 |   "publicClient": false,
16 |   "frontchannelLogout": false,
17 |   "protocol": "openid-connect",
18 |   "attributes": {
19 |     "saml.assertion.signature": "false",
20 |     "saml.multivalued.roles": "false",
21 |     "saml.force.post.binding": "false",
22 |     "saml.encrypt": "false",
23 |     "saml.server.signature": "false",
24 |     "saml.server.signature.keyinfo.ext": "false",
25 |     "exclude.session.state.from.auth.response": "false",
26 |     "saml_force_name_id_format": "false",
27 |     "saml.client.signature": "false",
28 |     "tls.client.certificate.bound.access.tokens": "false",
29 |     "saml.authnstatement": "false",
30 |     "display.on.consent.screen": "false",
31 |     "saml.onetimeuse.condition": "false"
32 |   },
33 |   "authenticationFlowBindingOverrides": {},
34 |   "fullScopeAllowed": true,
35 |   "nodeReRegistrationTimeout": -1,
36 |   "defaultClientScopes": [
37 |     "web-origins",
38 |     "role_list",
39 |     "profile",
40 |     "roles",
41 |     "email"
42 |   ],
43 |   "optionalClientScopes": [
44 |     "address",
45 |     "phone",
46 |     "offline_access",
47 |     "microprofile-jwt"
48 |   ],
49 |   "access": {
50 |     "view": true,
51 |     "configure": true,
52 |     "manage": true
53 |   }
54 | }
55 | 


--------------------------------------------------------------------------------
/gitlab/README.md:
--------------------------------------------------------------------------------
  1 | ## Create SAML Client in Keycloak
  2 | 
  3 | Go to the Clients page and click the 'Create' button in the right upper corner.
  4 | 
  5 | | Key                  | Value                                                 |
  6 | | -------------------- | ----------------------------------------------------- |
  7 | | Client ID \*         | `gitlab.example.com`                                  |
  8 | | Client Protocol      | saml                                                  |
  9 | | Client SAML Endpoint | `https://gitlab.example.com/users/auth/saml/callback` |
 10 | 
 11 | ## Configure SAML Client in Keycloak
 12 | 
 13 | ### Settings Tab
 14 | 
 15 | The next screenshots contain the settings you need to set on your client.
 16 | 
 17 | | Key                                  | Value                                                 |
 18 | | ------------------------------------ | ----------------------------------------------------- |
 19 | | Client ID                            | `gitlab.example.com`                                  |
 20 | | Name                                 | `Example GItlab`                                      |
 21 | | Description                          | `some description`                                    |
 22 | | Enabled                              | ON                                                    |
 23 | | Consent Required                     | OFF                                                   |
 24 | | Login Theme                          | base                                                  |
 25 | | Client Protocol                      | saml                                                  |
 26 | | Include AuthnStatement               | ON                                                    |
 27 | | Include OneTimeUse Condition         | OFF                                                   |
 28 | | Sign Documents                       | ON                                                    |
 29 | | Optimize REDIRECT signing key lookup | OFF                                                   |
 30 | | Sign Assertions                      | ON                                                    |
 31 | | Signature Algorithm                  | RSA_SHA26                                             |
 32 | | SAML Signature Key Name              | KEY_ID                                                |
 33 | | Canonicalization Method              | EXCLUSIVE                                             |
 34 | | Encrypt Assertions                   | OFF                                                   |
 35 | | Client Signature Required            | ON                                                    |
 36 | | Force POST Binding                   | ON                                                    |
 37 | | Front Channel Logout                 | ON                                                    |
 38 | | Force Name ID Format                 | OFF                                                   |
 39 | | Name ID Format                       | persistant                                            |
 40 | | Root URL                             | `https://gitlab.example.com`                          |
 41 | | Valid Redirect URIs                  | `https://gitlab.example.com/users/auth/saml/callback` |
 42 | | Base URL                             | `/`                                                   |
 43 | | Master SAML Processing URL           | `https://gitlab.example.com/users/auth/saml/callback` |
 44 | | IDP Initiated SSO URL Name           |                                                       |
 45 | | IDP Initiated SSO Relay State        |                                                       |
 46 | 
 47 | ####Fine Grain SAML Endpoint Configuration:
 48 | 
 49 | | Key                                             | Value                                                 |
 50 | | ----------------------------------------------- | ----------------------------------------------------- |
 51 | | Assertion Consumer Service POST Binding URL     | `https://gitlab.example.com/users/auth/saml/callback` |
 52 | | Assertion Consumer Service Redirect Binding URL |                                                       |
 53 | | Logout Service POST Binding URL                 |                                                       |
 54 | | Logout Service Redirect Binding URL             |                                                       |
 55 | 
 56 | ### Roles Tab
 57 | 
 58 | Create New role using 'Add Role' button.
 59 | Add Roles as below and set the Composite to false for both.
 60 | 
 61 | | Role Name                   | Composite |
 62 | | --------------------------- | --------- |
 63 | | gitlab.example.com:access   | false     |
 64 | | gitlab.example.com:external | false     |
 65 | 
 66 | ### Mappers Tab
 67 | 
 68 | The create mappers configuration as:
 69 | 
 70 | - Name: `name`
 71 | 
 72 |   - Mapper Type: `User Property`
 73 |   - Property: `Username`
 74 |   - Friendly Name: `Username`
 75 |   - SAML Attribute Name: `name`
 76 |   - SAML Attribute NameFormat: Basic
 77 | 
 78 | - Name: `email`
 79 | 
 80 |   - Mapper Type: `User Property`
 81 |   - Property: `Email`
 82 |   - Friendly Name: `Email`
 83 |   - SAML Attribute Name: `email`
 84 |   - SAML Attribute NameFormat: Basic
 85 | 
 86 | - Name: `first_name`
 87 | 
 88 |   - Mapper Type: `User Property`
 89 |   - Property: `FirstName`
 90 |   - Friendly Name: `First Name`
 91 |   - SAML Attribute Name: `first_name`
 92 |   - SAML Attribute NameFormat: Basic
 93 | 
 94 | - Name: `last_name`
 95 | 
 96 |   - Mapper Type: `User Property`
 97 |   - Property: `LastName`
 98 |   - Friendly Name: `Last Name`
 99 |   - SAML Attribute Name: `name`
100 |   - SAML Attribute NameFormat: Basic
101 | 
102 | - Name: `roles`
103 | 
104 |   - Mapper Type: `Role list`
105 |   - Role attribute name: `roles`
106 |   - Friendly Name: `Roles`
107 |   - SAML Attribute NameFormat: Basic
108 |   - Single Role Attribute: On
109 | 
110 | - All of the mappers have “Consent Required” set to Off.
111 | 
112 | ### Scope Tab
113 | 
114 | ### Installation Tab
115 | 
116 | Select Format Option to `Keycloak SAML Adapter keycloak-saml.xml` and download the file using the download button.
117 | Copy the content between `<certificatePem>` and `</certificatePem>` and save in your machine
118 | 
119 | ## Configure gitlab
120 | 
121 | ```
122 |      {
123 |          name: 'saml',
124 |          label: '<LABEL>',
125 |          groups_attribute: 'roles',
126 |          external_groups: ['<CLIENT-ID-GIVEN-DURING-CREATION>:external'],
127 |          args: {
128 |            assertion_consumer_service_url: '{{ template "gitlab.gitlab-base-url" . }}/users/auth/saml/callback',
129 |            idp_cert_fingerprint_algorithm: 'http://www.w3.org/2000/09/xmldsig#sha1',
130 |            idp_cert: '-----BEGIN CERTIFICATE-----<SAVED-CERTIFICATE>-----END CERTIFICATE-----',
131 |            idp_sso_target_url: '<KEYCLOAK-URL>/auth/realms/<CREATED-REALM-NAME>/protocol/saml/clients/<CLIENT-ID-GIVEN-DURING-CREATION>',
132 |            issuer: '<CLIENT-ID-GIVEN-DURING-CREATION>',
133 |            name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
134 |            attribute_statements: {
135 |              first_name: ['first_name'],
136 |              last_name: ['last_name'],
137 |              name: ['name'],
138 |              username: ['name'],
139 |              email: ['email']
140 |            }
141 |          }
142 |       }
143 | ```
144 | 


--------------------------------------------------------------------------------
/nextcloud/README.md:
--------------------------------------------------------------------------------
 1 | ## Configure NextCloud
 2 | 
 3 | ### Generate Private Key and Certificate
 4 | 
 5 | Make sure `overwriteprotocol` is set to `https`
 6 | ```php
 7 | $CONFIG = array (
 8 |   'overwriteprotocol' => 'https'
 9 | )
10 | ```
11 | 
12 | ```sh
13 | openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout myservice.key -out myservice.cert
14 | ```
15 | 
16 | ### Install SSO & SAML Authentication App
17 | 
18 | **Apps** -> **Integration** -> **SSO & SAML authentication** -> **Download and enable**
19 | 
20 | ### Configure SSO & SAML Authentication App
21 | 
22 | **Settings** -> **SSO & SAML authentication** -> **Use build-in SAML authentication**
23 | 
24 | > You can get the Public X.509 certificate of the IdP by navigating to
25 | > **Realm Settings** -> **General** -> **Endpoints** -> **SAML 2.0 Identity Provider Metadata**
26 | > at [https://keycloak.example.com/auth/admin](https://keycloak.example.com/auth/admin)
27 | 
28 | > Make sure you _Show optional Identity Provider settings ..._
29 | 
30 | > Make sure you _Show attribute mapping settings ..._
31 | 
32 | > Make sure you _Show security settings ..._
33 | 
34 | | Key                                                                                                                                           | Value                                                                                      |
35 | | ------------------------------------------------------------------------------------------                                                    | ------------------------------------------------------------------------------------------ |
36 | | Use SAML auth for the SiliconHills Cloud desktop clients (requires user re-authentication)                                                    | `true`                                                                                     |
37 | | Attribute to map UID to                                                                                                                       | `username`                                                                                 |
38 | | X.509 certificate of the Service Provider                                                                                                     | contets of `myservice.cert`                                                                |
39 | | Private key of the Service Provider                                                                                                           | contets of `myservice.key`                                                                 |
40 | | Identifier of the IdP                                                                                                                         | `https://keycloak.example.com/auth/realms/master`                                          |
41 | | URL Target of the IdP where the SP will send the Authentication Request Message                                                               | `https://keycloak.example.com/auth/realms/master/protocol/saml`                            |
42 | | URL Location of IdP where the SP will send the SLO Request                                                                                    | `https://keycloak.example.com/auth/realms/master/protocol/saml`                            |
43 | | Public X.509 certificate of the IdP                                                                                                           | Value of the the Public X.509 certificate of the IdP                                       |
44 | | Attribute to map the displayname to.                                                                                                          | `username`                                                                                 |
45 | | Attribute to map the email address to.                                                                                                        | `email`                                                                                    |
46 | | Indicates that the nameID of the <samlp:logoutRequest> sent by this SP will be encrypted.                                                     | `false`                                                                                    |
47 | | Indicates whether the <samlp:AuthnRequest> messages sent by this SP will be signed. [Metadata of the SP will offer this info]                 | `true`                                                                                     |
48 | | Indicates whether the  <samlp:logoutRequest> messages sent by this SP will be signed.                                                         | `true`                                                                                     |
49 | | Indicates whether the  <samlp:logoutResponse> messages sent by this SP will be signed.                                                        | `true`                                                                                     |
50 | | Whether the metadata should be signed.                                                                                                        | `false`                                                                                    |
51 | | Indicates a requirement for the <samlp:Response>, <samlp:LogoutRequest> and <samlp:LogoutResponse> elements received by this SP to be signed. | `true`                                                                                     |
52 | | Indicates a requirement for the <saml:Assertion> elements received by this SP to be signed. [Metadata of the SP will offer this info]         | `true`                                                                                     |
53 | | Indicates a requirement for the <saml:Assertion> elements received by this SP to be encrypted.                                                | `false`                                                                                    |
54 | | Indicates a requirement for the NameID element on the SAMLResponse received by this SP to be present.                                         | `false`                                                                                    |
55 | | Indicates a requirement for the NameID received by this SP to be encrypted.                                                                   | `false`                                                                                    |
56 | | Indicates if the SP will validate all received XML.                                                                                           | `false**                                                                                   |
57 | 
58 | Select **Download metadata XML***
59 | 
60 | ## Configure Keycloak
61 | 
62 | Import the `metadata.xml` file downloaded while configuring NextCloud
63 | 
64 | **Clients** -> **Create** -> **Import** -> **Select File**
65 | 
66 | Select **Save**
67 | 
68 | Change **Valid Redirect URIs** from `https://nextcloud.example.com/apps/user_saml/saml/acs` to `https://nextcloud.example.com/*`
69 | 
70 | Remove `role_list` from **Client Scopes** -> **Setup** -> **Assigned Default Client Scopes**
71 | 
72 | ![NextCloud Settings](nextcloud-settings.png "NextCloud Settings")
73 | 


--------------------------------------------------------------------------------
/nextcloud/client.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "clientId": "https://nextcloud.example.com/apps/user_saml/saml/metadata",
 3 |   "surrogateAuthRequired": false,
 4 |   "enabled": true,
 5 |   "clientAuthenticatorType": "client-secret",
 6 |   "redirectUris": ["https://nextcloud.example.com/*"],
 7 |   "webOrigins": ["http://nextcloud.example.com"],
 8 |   "notBefore": 0,
 9 |   "bearerOnly": false,
10 |   "consentRequired": false,
11 |   "standardFlowEnabled": true,
12 |   "implicitFlowEnabled": false,
13 |   "directAccessGrantsEnabled": false,
14 |   "serviceAccountsEnabled": false,
15 |   "publicClient": false,
16 |   "frontchannelLogout": true,
17 |   "protocol": "saml",
18 |   "attributes": {
19 |     "saml.assertion.signature": "true",
20 |     "saml.force.post.binding": "true",
21 |     "saml.multivalued.roles": "false",
22 |     "saml.encrypt": "false",
23 |     "saml_assertion_consumer_url_post": "https://nextcloud.example.com/apps/user_saml/saml/acs",
24 |     "saml.server.signature": "true",
25 |     "saml.server.signature.keyinfo.ext": "false",
26 |     "exclude.session.state.from.auth.response": "false",
27 |     "saml.signing.certificate": "",
28 |     "saml_single_logout_service_url_redirect": "https://nextcloud.example.com/apps/user_saml/saml/sls",
29 |     "saml.signature.algorithm": "RSA_SHA256",
30 |     "saml_force_name_id_format": "false",
31 |     "tls.client.certificate.bound.access.tokens": "false",
32 |     "saml.client.signature": "true",
33 |     "saml.authnstatement": "true",
34 |     "display.on.consent.screen": "false",
35 |     "saml_name_id_format": "username",
36 |     "saml_signature_canonicalization_method": "http://www.w3.org/2001/10/xml-exc-c14n#",
37 |     "saml.onetimeuse.condition": "false"
38 |   },
39 |   "authenticationFlowBindingOverrides": {},
40 |   "fullScopeAllowed": true,
41 |   "nodeReRegistrationTimeout": -1,
42 |   "protocolMappers": [
43 |     {
44 |       "name": "username",
45 |       "protocol": "saml",
46 |       "protocolMapper": "saml-user-property-mapper",
47 |       "consentRequired": false,
48 |       "config": {
49 |         "attribute.nameformat": "Basic",
50 |         "user.attribute": "Username",
51 |         "friendly.name": "username",
52 |         "attribute.name": "username"
53 |       }
54 |     },
55 |     {
56 |       "name": "email",
57 |       "protocol": "saml",
58 |       "protocolMapper": "saml-user-property-mapper",
59 |       "consentRequired": false,
60 |       "config": {
61 |         "attribute.nameformat": "Basic",
62 |         "user.attribute": "Email",
63 |         "friendly.name": "email",
64 |         "attribute.name": "email"
65 |       }
66 |     }
67 |   ],
68 |   "defaultClientScopes": ["web-origins", "profile", "roles", "email"],
69 |   "optionalClientScopes": [
70 |     "address",
71 |     "phone",
72 |     "offline_access",
73 |     "microprofile-jwt"
74 |   ],
75 |   "access": {
76 |     "view": true,
77 |     "configure": true,
78 |     "manage": true
79 |   }
80 | }
81 | 


--------------------------------------------------------------------------------
/nextcloud/nextcloud-settings.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/clayrisser/keycloak-sso-configs/35554f264c395fe1b25f068c55bb0c9f5d3277b1/nextcloud/nextcloud-settings.png


--------------------------------------------------------------------------------
/rancher2/README.md:
--------------------------------------------------------------------------------
 1 | ## Configure Keycloak
 2 | 
 3 | ## Configure Rancher
 4 | 
 5 | ### Generate Private Key and Certificate
 6 | 
 7 | ```sh
 8 | openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout myservice.key -out myservice.cert
 9 | ```
10 | 
11 | ### Configure SAML Keycloak
12 | 
13 | **Global** -> **Security** -> **Authentication** -> **SAML Keycloak**
14 | 
15 | | Key                | Value                                                                                                      |
16 | | ------------------ | ---------------------------------------------------------------------------------------------------------- |
17 | | Display Name Field | `DisplayName`                                                                                              |
18 | | User Name Field    | `Username`                                                                                                 |
19 | | UID Field          | `Username`                                                                                                 |
20 | | Groups Field       | `Groups`                                                                                                   |
21 | | Rancher API Host   | `https://orch.example.com`                                                                                 |
22 | | Private Key        | contents of following command `cat myservice.key`                                                          |
23 | | CA Certificate     | contents of following command `cat myservice.cert`                                                         |
24 | | Metadata XML       | contents of following command `curl https://iam.codejam.ninja/auth/realms/master/protocol/saml/descriptor` |
25 | 
26 | > For **Metadata XML** only copy the `<EntityDescriptor>` section. You will also need to move
27 | > the props from `<EntitiesDescriptor>` to `<EntityDescriptor>`.
28 | 


--------------------------------------------------------------------------------
/rancher2/client.json:
--------------------------------------------------------------------------------
  1 | {
  2 |   "clientId": "https://orch.example.com/v1-saml/keycloak/saml/metadata",
  3 |   "name": "orch.example.com",
  4 |   "rootUrl": "",
  5 |   "adminUrl": "https://orch.example.com/v1-saml/keycloak/saml/acs",
  6 |   "baseUrl": "/",
  7 |   "surrogateAuthRequired": false,
  8 |   "enabled": true,
  9 |   "clientAuthenticatorType": "client-secret",
 10 |   "redirectUris": ["https://orch.example.com/v1-saml/keycloak/saml/acs"],
 11 |   "webOrigins": [],
 12 |   "notBefore": 0,
 13 |   "bearerOnly": false,
 14 |   "consentRequired": false,
 15 |   "standardFlowEnabled": true,
 16 |   "implicitFlowEnabled": false,
 17 |   "directAccessGrantsEnabled": false,
 18 |   "serviceAccountsEnabled": false,
 19 |   "publicClient": false,
 20 |   "frontchannelLogout": false,
 21 |   "protocol": "saml",
 22 |   "attributes": {
 23 |     "saml.assertion.signature": "true",
 24 |     "saml.force.post.binding": "false",
 25 |     "saml.multivalued.roles": "false",
 26 |     "saml.encrypt": "false",
 27 |     "saml.server.signature": "true",
 28 |     "saml.server.signature.keyinfo.ext": "false",
 29 |     "exclude.session.state.from.auth.response": "false",
 30 |     "saml.signing.certificate": "",
 31 |     "saml.signature.algorithm": "RSA_SHA256",
 32 |     "saml_force_name_id_format": "false",
 33 |     "saml.client.signature": "false",
 34 |     "tls.client.certificate.bound.access.tokens": "false",
 35 |     "saml.authnstatement": "false",
 36 |     "display.on.consent.screen": "false",
 37 |     "saml.signing.private.key": "",
 38 |     "saml_name_id_format": "username",
 39 |     "saml.onetimeuse.condition": "false",
 40 |     "saml_signature_canonicalization_method": "http://www.w3.org/2001/10/xml-exc-c14n#"
 41 |   },
 42 |   "authenticationFlowBindingOverrides": {},
 43 |   "fullScopeAllowed": true,
 44 |   "nodeReRegistrationTimeout": -1,
 45 |   "protocolMappers": [
 46 |     {
 47 |       "name": "Groups",
 48 |       "protocol": "saml",
 49 |       "protocolMapper": "saml-group-membership-mapper",
 50 |       "consentRequired": false,
 51 |       "config": {
 52 |         "single": "true",
 53 |         "attribute.nameformat": "Basic",
 54 |         "full.path": "true",
 55 |         "friendly.name": "Groups",
 56 |         "attribute.name": "member"
 57 |       }
 58 |     },
 59 |     {
 60 |       "name": "DisplayName",
 61 |       "protocol": "saml",
 62 |       "protocolMapper": "saml-user-property-mapper",
 63 |       "consentRequired": false,
 64 |       "config": {
 65 |         "attribute.nameformat": "Basic",
 66 |         "user.attribute": "FirstName",
 67 |         "friendly.name": "Display Name",
 68 |         "attribute.name": "DisplayName"
 69 |       }
 70 |     },
 71 |     {
 72 |       "name": "Username",
 73 |       "protocol": "saml",
 74 |       "protocolMapper": "saml-user-property-mapper",
 75 |       "consentRequired": false,
 76 |       "config": {
 77 |         "attribute.nameformat": "Basic",
 78 |         "user.attribute": "Username",
 79 |         "friendly.name": "Username",
 80 |         "attribute.name": "Username"
 81 |       }
 82 |     }
 83 |   ],
 84 |   "defaultClientScopes": [
 85 |     "web-origins",
 86 |     "role_list",
 87 |     "profile",
 88 |     "roles",
 89 |     "email"
 90 |   ],
 91 |   "optionalClientScopes": [
 92 |     "address",
 93 |     "phone",
 94 |     "offline_access",
 95 |     "microprofile-jwt"
 96 |   ],
 97 |   "access": {
 98 |     "view": true,
 99 |     "configure": true,
100 |     "manage": true
101 |   }
102 | }
103 | 


--------------------------------------------------------------------------------