Keycloak in combination with MongoDB and SimpleSamlPHP as a samlbridge.
Please see the documentation for Keycloak, MongoDB, SimpleSamlPHP and Docker for more information.
![architecture] (https://raw.githubusercontent.com/cyclone-project/cyclone-federation-provider/master/docs/cyclone-diagram.png)
Configure Keycloak and SimpleSamlPHP by editing the files in components/keycloak/config or components/samlbridge/config respectively.
The Keycloak database is persisted (by default) in data/keycloak/db. Import configuration for keycloak by adding the keycloak-export.json to data/keycloak/exports and editing docker-compose.yml.
The provided keycloak-export.json includes:
Default Users for Keycloak:
| Username | Password |
|---|---|
| admin | admin |
| owner | owner |
| user | user |
| guest | guest |
Default Clients for Keycloak:
| Client Id | Redirect Uri |
|---|---|
| slipstream | * |
| portal | * |
| test | * |
Build and run with Docker and Docker Compose by executing docker-compose up.
By default, Keycloak listens at http://localhost:9080 and SimpleSamlPHP at http://localhost:8080/samlbridge
NOTE: Underlying standard is OpenId-Connect, specifically the Authorization Code Flow.
-
User tries to access a protected resource.
-
User is redirected to:
http(s)://(keycloak)/auth/realms/(realm)/protocol/openid-connect/auth?client_id=(client_id)&redirect_uri=(redirect_uri)&response_type=code -
User login happens with any of the methods supported by keycloak.
-
After successful login, user is redirected to (redirect_uri) with a code:
(redirect_uri)/?code=(code) -
Use this code to retrieve a set of JSON Web Tokens (JWT):
POST /auth/realms/(realm)/protocol/openid-connect/token
Content-Type: application/x-www-form-urlencoded
grant_type: authorization_code
code: (code)
redirect_uri: (redirect_uri)
client_id: (client_id)
Response:
{
"access_token": (base64 encoded JWT),
"expires_in": (time),
"refresh_token": (base64 encoded JWT),
"refresh_expires_in": (time),
"token_type": "bearer",
"id_token": (base64 encoded JWT),
"not-before-policy": (policy),
"session-state": (session-state)
}- Refresh set of tokens, as necessary:
POST /auth/realms/(realm)/protocol/openid-connect/token
Content-Type: application/x-www-form-urlencoded
grant_type : refresh_token
refresh_token : (refresh_token)
redirect_uri : (redirect_uri)
client_id : (client_id)
Response:
{
"access_token": (base64 encoded JWT),
"expires_in": (time),
"refresh_token": (base64 encoded JWT),
"refresh_expires_in": (time),
"token_type": "bearer",
"id_token": (base64 encoded JWT),
"not-before-policy": (policy),
"session-state": (session-state)
}- Log out by redirecting the user to:
http(s)://(keycloak)/auth/realms/(realm)/tokens/logout?redirect_uri=(redirect_uri)