Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

adding Keycloak to SSO guides #1383

Closed
wants to merge 4 commits into from
Closed

adding Keycloak to SSO guides #1383

Changes from 2 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
6d8aeda
adding Keycloak to SSO guides
dmitry-spectro Jun 27, 2023
3a7569d
Merge branch 'master' into keycloak
dmitry-spectro Aug 15, 2023
c6b1d41
updating keycloak
dmitry-spectro Nov 20, 2023
8be1b75
Optimised images with calibre/image-actions
github-actions[bot] Nov 20, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
264 changes: 264 additions & 0 deletions content/docs/08-user-management/04-saml-sso/05-palette-sso-with-keycloak.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,264 @@
<!-- Output copied to clipboard! -->

<!-----

You have some errors, warnings, or alerts. If you are using reckless mode, turn it off to see inline alerts.
* ERRORs: 0
* WARNINGs: 0
* ALERTS: 20

Conversion time: 7.265 seconds.


Using this Markdown file:

1. Paste this output into your source file.
2. See the notes and action items below regarding this conversion run.
3. Check the rendered output (headings, lists, code blocks, tables) for proper
formatting and use a linkchecker before you publish this page.

Conversion notes:

* Docs to Markdown version 1.0β34
* Tue Jun 27 2023 01:32:57 GMT-0700 (PDT)
* Source doc: Palette Keycloak Integration
* This document has images: check for >>>>> gd2md-html alert: inline image link in generated source and store images to your server. NOTE: Images in exported zip file from Google Docs may not appear in the same order as they do in your doc. Please check the images!

----->


<p style="color: red; font-weight: bold">>>>>> gd2md-html alert: ERRORs: 0; WARNINGs: 0; ALERTS: 20.</p>
<ul style="color: red; font-weight: bold"><li>See top comment block for details on ERRORs and WARNINGs. <li>In the converted Markdown or HTML, search for inline alerts that start with >>>>> gd2md-html alert: for specific instances that need correction.</ul>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[spectrocloud.ableism] Avoid using ableism terms. Use 'display' instead of 'See'.


<p style="color: red; font-weight: bold">Links to alert messages:</p><a href="#gdcalert1">alert1</a>
<a href="#gdcalert2">alert2</a>
<a href="#gdcalert3">alert3</a>
<a href="#gdcalert4">alert4</a>
<a href="#gdcalert5">alert5</a>
<a href="#gdcalert6">alert6</a>
<a href="#gdcalert7">alert7</a>
<a href="#gdcalert8">alert8</a>
<a href="#gdcalert9">alert9</a>
<a href="#gdcalert10">alert10</a>
<a href="#gdcalert11">alert11</a>
<a href="#gdcalert12">alert12</a>
<a href="#gdcalert13">alert13</a>
<a href="#gdcalert14">alert14</a>
<a href="#gdcalert15">alert15</a>
<a href="#gdcalert16">alert16</a>
<a href="#gdcalert17">alert17</a>
<a href="#gdcalert18">alert18</a>
<a href="#gdcalert19">alert19</a>
<a href="#gdcalert20">alert20</a>

<p style="color: red; font-weight: bold">>>>>> PLEASE check and correct alert issues and delete this message and the inline alerts.<hr></p>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove all HTML tags and elements.




# Palette Keycloak integration
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'Keycloak'?



## Prerequisites:
Copy link
Contributor

@sudkul87 sudkul87 Jul 3, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
## Prerequisites:
# Prerequisites

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Your document must adhere to the following layout:

# Title

# Prerequisites

# Enablement
1. Action 1 ...
...
...
N. Action N

# Validate

Notice that there are no H2 tags. Read the details here.




1. Access to Palette
2. Keycloak exposed on an external IP address, preferably with DNS name
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'Keycloak'?

3. k8s cluster with LoadBalancer resources and a couple of available IPs

(You can use Palette to install any type of k8s cluster on public cloud, where LoadBalancer will be available right away or install MetalLB from our pack if installing on-premises or on the edge)



## Installation



1. Provision a k8s cluster from Palette and download its kubeconfig
2. Let’s install keycloak on our Kubernetes cluster with CLI:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'keycloak'?

3. After a couple of minutes, verify which address Keycloak got:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'Keycloak'?


in my case I’m running on EKS and the result is going to be: _a5f3a06f0063143fea26b6a086cb2c89-1900572074.eu-west-3.elb.amazonaws.com_



4. Let’s create an Ingress from an official doc, replacing KEYCLOAK_HOST with your hostname for LoadBalance:

This creates an ingress and we can now see keycloak available at services in Palette:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[spectrocloud.ableism] Avoid using ableism terms. Use 'display' instead of 'see'.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'keycloak'?




<p id="gdcalert1" ><span style="color: red; font-weight: bold">>>>>> gd2md-html alert: inline image link here (to images/image1.png). Store image on your image server and adjust path/filename/extension if necessary. </span><br>(<a href="#">Back to top</a>)(<a href="#gdcalert2">Next alert</a>)<br><span style="color: red; font-weight: bold">>>>>> </span></p>


![alt_text](images/image1.png "image_tooltip")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'alt_text'?





5. I’ll also create a CNAME _keycloak.dmitry.sa.spectrodemos.com_ pointing to _a5f3a06f0063143fea26b6a086cb2c89-1900572074.eu-west-3.elb.amazonaws.com_ so that it’d be more convenient to type and to get access to our Keycloak
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'Keycloak'?

6. Let’s login to Keycloak with default _admin:admin_ credentials at _[http://keycloak.dmitry.sa.spectrodemos.com:8080/admin](http://keycloak.dmitry.sa.spectrodemos.com:8080/admin)_, First thing is to change the admin password to something sensible!
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'Keycloak'?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[Google.Exclamation] Don't use exclamation points in text.

7. Let’s login to Palette, choose “Tenant Admin” at the top, click on “Tenant Settings” on the left hand side, then click on “SSO” in the center and “OIDC” on the right hand side. We’ll need to copy “Callback URL” and “Logout URL”
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[Vale.Terms] Use 'admin' instead of 'Admin'.


<p id="gdcalert2" ><span style="color: red; font-weight: bold">>>>>> gd2md-html alert: inline image link here (to images/image2.png). Store image on your image server and adjust path/filename/extension if necessary. </span><br>(<a href="#">Back to top</a>)(<a href="#gdcalert3">Next alert</a>)<br><span style="color: red; font-weight: bold">>>>>> </span></p>


![alt_text](images/image2.png "image_tooltip")

8. Let’s now login to Keycloak and create a client for Palette: I click on “Create client”
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'Keycloak'?


<p id="gdcalert3" ><span style="color: red; font-weight: bold">>>>>> gd2md-html alert: inline image link here (to images/image3.png). Store image on your image server and adjust path/filename/extension if necessary. </span><br>(<a href="#">Back to top</a>)(<a href="#gdcalert4">Next alert</a>)<br><span style="color: red; font-weight: bold">>>>>> </span></p>


![alt_text](images/image3.png "image_tooltip")

9. I’ll fill in both “Client ID” and “Name” as “palette” and click “Next”

<p id="gdcalert4" ><span style="color: red; font-weight: bold">>>>>> gd2md-html alert: inline image link here (to images/image4.png). Store image on your image server and adjust path/filename/extension if necessary. </span><br>(<a href="#">Back to top</a>)(<a href="#gdcalert5">Next alert</a>)<br><span style="color: red; font-weight: bold">>>>>> </span></p>


![alt_text](images/image4.png "image_tooltip")

10. In the following screen, I’ll activate “Client authentication” for increased security



<p id="gdcalert5" ><span style="color: red; font-weight: bold">>>>>> gd2md-html alert: inline image link here (to images/image5.png). Store image on your image server and adjust path/filename/extension if necessary. </span><br>(<a href="#">Back to top</a>)(<a href="#gdcalert6">Next alert</a>)<br><span style="color: red; font-weight: bold">>>>>> </span></p>


![alt_text](images/image5.png "image_tooltip")


11. In the last screen in this section I paste Root URL from your Palette URL, in your case it’ll probably be “_[https://$YOURNAME-$YOURCOMPANY.spectrocloud.com](https://$YOURNAME-$YOURCOMPANY.spectrocloud.com)_”

I paste “Callback URL” from Step 7 from Palette as “Valid redirect URLs” and


I paste “Logout URL” from Step 7 from Palette as “Valid post logout redirect URIs” and click on “Save” to create the client.

12.

<p id="gdcalert6" ><span style="color: red; font-weight: bold">>>>>> gd2md-html alert: inline image link here (to images/image6.png). Store image on your image server and adjust path/filename/extension if necessary. </span><br>(<a href="#">Back to top</a>)(<a href="#gdcalert7">Next alert</a>)<br><span style="color: red; font-weight: bold">>>>>> </span></p>


![alt_text](images/image6.png "image_tooltip")

13. I then click on “Clients” choose my “palette” client and click on “Credentials” tab in order to retrieve and copy to buffer my secret



<p id="gdcalert7" ><span style="color: red; font-weight: bold">>>>>> gd2md-html alert: inline image link here (to images/image7.png). Store image on your image server and adjust path/filename/extension if necessary. </span><br>(<a href="#">Back to top</a>)(<a href="#gdcalert8">Next alert</a>)<br><span style="color: red; font-weight: bold">>>>>> </span></p>


![alt_text](images/image7.png "image_tooltip")


14. Let’s get back to Palette interface where we left it (on OIDC tab) and paste newly obtained parameters from Keycloak:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'Keycloak'?

* Issuer URL is going to be your Keycloak address with **/realms/master** added at the end, in my case: _[http://keycloak.dmitry.sa.spectrodemos.com:8080/realms/master](http://keycloak.dmitry.sa.spectrodemos.com:8080/realms/master)_
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'Keycloak'?

* Client ID is going to be “palette”
* Client Secret is copied from the previous step
15.

<p id="gdcalert8" ><span style="color: red; font-weight: bold">>>>>> gd2md-html alert: inline image link here (to images/image8.png). Store image on your image server and adjust path/filename/extension if necessary. </span><br>(<a href="#">Back to top</a>)(<a href="#gdcalert9">Next alert</a>)<br><span style="color: red; font-weight: bold">>>>>> </span></p>


![alt_text](images/image8.png "image_tooltip")

16. When you press the “Enable button” at the bottom, you should see the green message “OIDC configured successfully” at the top right corner.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[spectrocloud.ableism] Avoid using ableism terms. Use 'display' instead of 'see'.


<p id="gdcalert9" ><span style="color: red; font-weight: bold">>>>>> gd2md-html alert: inline image link here (to images/image9.png). Store image on your image server and adjust path/filename/extension if necessary. </span><br>(<a href="#">Back to top</a>)(<a href="#gdcalert10">Next alert</a>)<br><span style="color: red; font-weight: bold">>>>>> </span></p>


![alt_text](images/image9.png "image_tooltip")

17. Let’s make sure we fill in first name, second name & email to the admin user.

<p id="gdcalert10" ><span style="color: red; font-weight: bold">>>>>> gd2md-html alert: inline image link here (to images/image10.png). Store image on your image server and adjust path/filename/extension if necessary. </span><br>(<a href="#">Back to top</a>)(<a href="#gdcalert11">Next alert</a>)<br><span style="color: red; font-weight: bold">>>>>> </span></p>


![alt_text](images/image10.png "image_tooltip")

18. SSO configuration is now over, in order to verify it I can open an incognito window and go to my Palette URL.

<p id="gdcalert11" ><span style="color: red; font-weight: bold">>>>>> gd2md-html alert: inline image link here (to images/image11.png). Store image on your image server and adjust path/filename/extension if necessary. </span><br>(<a href="#">Back to top</a>)(<a href="#gdcalert12">Next alert</a>)<br><span style="color: red; font-weight: bold">>>>>> </span></p>


![alt_text](images/image11.png "image_tooltip")

19. When clicking on “Sign In” I’m redirected to Keycloak where I can log in with my “admin” credentials”
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'Keycloak'?

20.

<p id="gdcalert12" ><span style="color: red; font-weight: bold">>>>>> gd2md-html alert: inline image link here (to images/image12.png). Store image on your image server and adjust path/filename/extension if necessary. </span><br>(<a href="#">Back to top</a>)(<a href="#gdcalert13">Next alert</a>)<br><span style="color: red; font-weight: bold">>>>>> </span></p>


![alt_text](images/image12.png "image_tooltip")

21. When I type the right Keycloak password, I’m going to be authenticated back to Palette. Success!
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'Keycloak'?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[Google.Exclamation] Don't use exclamation points in text.


<p id="gdcalert13" ><span style="color: red; font-weight: bold">>>>>> gd2md-html alert: inline image link here (to images/image13.png). Store image on your image server and adjust path/filename/extension if necessary. </span><br>(<a href="#">Back to top</a>)(<a href="#gdcalert14">Next alert</a>)<br><span style="color: red; font-weight: bold">>>>>> </span></p>


![alt_text](images/image13.png "image_tooltip")



## OPTIONAL: let’s create a Team in Palette and add one more user in Keycloak
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'Keycloak'?




22. Let’s get to Palette setup, click on “Users & Teams” on the left and create a new Team using button on the top right “Create Team”



<p id="gdcalert14" ><span style="color: red; font-weight: bold">>>>>> gd2md-html alert: inline image link here (to images/image14.png). Store image on your image server and adjust path/filename/extension if necessary. </span><br>(<a href="#">Back to top</a>)(<a href="#gdcalert15">Next alert</a>)<br><span style="color: red; font-weight: bold">>>>>> </span></p>


![alt_text](images/image14.png "image_tooltip")


23. I add a team “admins” and add “Project Admin” role to my project “Default”
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[Vale.Terms] Use 'admin' instead of 'Admin'.

24.

<p id="gdcalert15" ><span style="color: red; font-weight: bold">>>>>> gd2md-html alert: inline image link here (to images/image15.png). Store image on your image server and adjust path/filename/extension if necessary. </span><br>(<a href="#">Back to top</a>)(<a href="#gdcalert16">Next alert</a>)<br><span style="color: red; font-weight: bold">>>>>> </span></p>


![alt_text](images/image15.png "image_tooltip")

25. I then switch back to SSO parameters and make sure it’s the default Team for my SSO users

<p id="gdcalert16" ><span style="color: red; font-weight: bold">>>>>> gd2md-html alert: inline image link here (to images/image16.png). Store image on your image server and adjust path/filename/extension if necessary. </span><br>(<a href="#">Back to top</a>)(<a href="#gdcalert17">Next alert</a>)<br><span style="color: red; font-weight: bold">>>>>> </span></p>


![alt_text](images/image16.png "image_tooltip")

26. I go back to Keycloak, click on “Users” on the left hand side and create a user, making sure “Username”, “Email”, “First Name” and “Last Name” are all filled in.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'Keycloak'?


<p id="gdcalert17" ><span style="color: red; font-weight: bold">>>>>> gd2md-html alert: inline image link here (to images/image17.png). Store image on your image server and adjust path/filename/extension if necessary. </span><br>(<a href="#">Back to top</a>)(<a href="#gdcalert18">Next alert</a>)<br><span style="color: red; font-weight: bold">>>>>> </span></p>


![alt_text](images/image17.png "image_tooltip")

27. I then click on “Credentials” and set up some password

<p id="gdcalert18" ><span style="color: red; font-weight: bold">>>>>> gd2md-html alert: inline image link here (to images/image18.png). Store image on your image server and adjust path/filename/extension if necessary. </span><br>(<a href="#">Back to top</a>)(<a href="#gdcalert19">Next alert</a>)<br><span style="color: red; font-weight: bold">>>>>> </span></p>


![alt_text](images/image18.png "image_tooltip")

28. If I now open another incognito window, go to Palette and log in with my newly created user in Keycloak, I should be automatically logged in Palette as admin!
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'Keycloak'?


<p id="gdcalert19" ><span style="color: red; font-weight: bold">>>>>> gd2md-html alert: inline image link here (to images/image19.png). Store image on your image server and adjust path/filename/extension if necessary. </span><br>(<a href="#">Back to top</a>)(<a href="#gdcalert20">Next alert</a>)<br><span style="color: red; font-weight: bold">>>>>> </span></p>


![alt_text](images/image19.png "image_tooltip")

29. Voilà, our example is done,we’re logged in with the user from Keycloak without touching anything in Palette
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'Keycloak'?


<p id="gdcalert20" ><span style="color: red; font-weight: bold">>>>>> gd2md-html alert: inline image link here (to images/image20.png). Store image on your image server and adjust path/filename/extension if necessary. </span><br>(<a href="#">Back to top</a>)(<a href="#gdcalert21">Next alert</a>)<br><span style="color: red; font-weight: bold">>>>>> </span></p>


![alt_text](images/image20.png "image_tooltip")


Please contact us if you have any further questions on how to set up proper RBAC!
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[Google.Exclamation] Don't use exclamation points in text.