Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

adding Keycloak to SSO guides #1383

Closed
wants to merge 4 commits into from
Closed

adding Keycloak to SSO guides #1383

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
6d8aeda
adding Keycloak to SSO guides
dmitry-spectro Jun 27, 2023
3a7569d
Merge branch 'master' into keycloak
dmitry-spectro Aug 15, 2023
c6b1d41
updating keycloak
dmitry-spectro Nov 20, 2023
8be1b75
Optimised images with calibre/image-actions
github-actions[bot] Nov 20, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Binary file added assets/docs/images/user-management_saml-sso_keycloak-01-keycloak-service.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added assets/docs/images/user-management_saml-sso_keycloak-02-callback-url.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added assets/docs/images/user-management_saml-sso_keycloak-03-create-client.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added assets/docs/images/user-management_saml-sso_keycloak-04-palette-username.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added assets/docs/images/user-management_saml-sso_keycloak-05-client-authentication.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added assets/docs/images/user-management_saml-sso_keycloak-06-keycloak-callback.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added assets/docs/images/user-management_saml-sso_keycloak-07-keycloak-credentials.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added assets/docs/images/user-management_saml-sso_keycloak-08-palette-callback.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added assets/docs/images/user-management_saml-sso_keycloak-09-palette-oidc-enabled.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added assets/docs/images/user-management_saml-sso_keycloak-10-keycloak-admin.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added assets/docs/images/user-management_saml-sso_keycloak-11-palette-sso.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added assets/docs/images/user-management_saml-sso_keycloak-12-keycloak-sso.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added assets/docs/images/user-management_saml-sso_keycloak-13-palette-logged-in.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added assets/docs/images/user-management_saml-sso_keycloak-14-palette-groups.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added assets/docs/images/user-management_saml-sso_keycloak-15-palette-project.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added assets/docs/images/user-management_saml-sso_keycloak-16-palette-sso-admins.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added assets/docs/images/user-management_saml-sso_keycloak-17-keycloak-user.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added assets/docs/images/user-management_saml-sso_keycloak-18-keycloak-password.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added assets/docs/images/user-management_saml-sso_keycloak-19-keycloak-incognito.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added assets/docs/images/user-management_saml-sso_keycloak-20-palette-user-logged-in.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
134 changes: 134 additions & 0 deletions content/docs/08-user-management/04-saml-sso/05-palette-sso-with-keycloak.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,134 @@
# Palette Keycloak integration
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'Keycloak'?


This document permits to integrate Palette with Keycloak and log in to Palette with credentials stored in Keycloak
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'Keycloak'?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'Keycloak'?


## Prerequisites:
Copy link
Contributor

@sudkul87 sudkul87 Jul 3, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
## Prerequisites:
# Prerequisites

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Your document must adhere to the following layout:

# Title

# Prerequisites

# Enablement
1. Action 1 ...
...
...
N. Action N

# Validate

Notice that there are no H2 tags. Read the details here.


1. Access to Palette
2. Keycloak exposed on an external IP address, preferably with DNS name
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'Keycloak'?

3. Kubernetes cluster with LoadBalancer resources and a couple of available IPs

(You can use Palette to install any type of Kubernetes cluster on public cloud, where LoadBalancer will be available right away or install MetalLB from Spectro Cloud pack if installing on-premises or on the edge)

## Installation

1. Provision a Kubernetes cluster from Palette and download its kubeconfig
2. Install keycloak on our Kubernetes cluster with CLI:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'keycloak'?

```bash
$ kubectl create -f https://raw.githubusercontent.com/keycloak/keycloak-quickstarts/latest/kubernetes-examples/keycloak.yaml
```

3. After a couple of minutes, verify which address Keycloak got:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'Keycloak'?

```bash
$ kubectl describe service keycloak | grep "LoadBalancer Ingress" | awk '{print $3}'
```

for EKS, the result is going to be somewhat similar to: _a5f3a06f0063143fea26b6a086cb2c89-1900572074.eu-west-3.elb.amazonaws.com_

4. Create an Ingress from an official doc, replacing KEYCLOAK_HOST with your hostname for LoadBalancer:

```bash
wget -q -O - https://raw.githubusercontent.com/keycloak/keycloak-quickstarts/latest/kubernetes-examples/keycloak-ingress.yaml | sed "s/KEYCLOAK_HOST/a5f3a06f0063143fea26b6a086cb2c89-1900572074.eu-west-3.elb.amazonaws.com/" | kubectl create -f -
```

This creates an ingress and Palette should now show Keycloak service:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'Keycloak'?


![alt_text](/user-management_saml-sso_keycloak-01-keycloak-service.png "Keycloak Service")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'alt_text'?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'Keycloak'?


5. Create a convenient CNAME, for example _keycloak.dmitry.sa.spectrodemos.com_ pointing to _a5f3a06f0063143fea26b6a086cb2c89-1900572074.eu-west-3.elb.amazonaws.com_ so that it is easier to type and to get access to the installed Keycloak
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'Keycloak'?


6. Login to Keycloak with default _admin:admin_ credentials at _[http://keycloak.dmitry.sa.spectrodemos.com:8080/admin](http://keycloak.dmitry.sa.spectrodemos.com:8080/admin)_, First thing is to change the admin password to something sensible!
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'Keycloak'?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[Google.Exclamation] Don't use exclamation points in text.


7. Login to Palette, choose “Tenant Admin” at the top, click on “Tenant Settings” on the left hand side, then click on “SSO” in the center and “OIDC” on the right hand side. Note and copy “Callback URL” and “Logout URL”
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[Vale.Terms] Use 'admin' instead of 'Admin'.


![alt_text](/user-management_saml-sso_keycloak-02-callback-url.png "Callback URL")

8. Login to Keycloak and create a client for Palette: click on “Create client”
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'Keycloak'?


![alt_text](/user-management_saml-sso_keycloak-03-create-client.png "Create Client")

9. Fill in both “Client ID” and “Name” as “palette” and click “Next”

![alt_text](/user-management_saml-sso_keycloak-04-palette-username.png "Palette username")

10. In the following screen, activate “Client authentication” for increased security

![alt_text](/user-management_saml-sso_keycloak-05-client-authentication.png "Client Authentication")

11. In the last screen in this section paste Root URL from your Palette URL, it will probably be something similar to “_[https://$YOURNAME-$YOURCOMPANY.spectrocloud.com](https://$YOURNAME-$YOURCOMPANY.spectrocloud.com)_”

Paste “Callback URL” from Step 7 as “Valid redirect URLs” and “Logout URL” from the same step as “Valid post logout redirect URIs”, then click on “Save” to create the client.

12.

![alt_text](/user-management_saml-sso_keycloak-06-keycloak-callback.png "Keycloak callback")

13. Click on “Clients” choose my “palette” client and click on “Credentials” tab in order to retrieve and copy to buffer the secret

![alt_text](/user-management_saml-sso_keycloak-07-keycloak-credentials.png "Keycloak Credentials")


14. Get back to Palette interface (OIDC tab) and paste newly obtained parameters from Keycloak:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'Keycloak'?

* Issuer URL is going to be your Keycloak address with **/realms/master** added at the end, such as: _[http://keycloak.dmitry.sa.spectrodemos.com:8080/realms/master](http://keycloak.dmitry.sa.spectrodemos.com:8080/realms/master)_
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'Keycloak'?

* Client ID is going to be “palette”
* Client Secret is copied from the previous step

15.

![alt_text](/user-management_saml-sso_keycloak-08-palette-callback.png "Palette Callback")

16. Press the “Enable button” at the bottom, you should see the green message “OIDC configured successfully” at the top right corner.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[spectrocloud.ableism] Avoid using ableism terms. Use 'display' instead of 'see'.


![alt_text](/user-management_saml-sso_keycloak-09-palette-oidc-enabled.png "Palette OIDC Enabled")

17. Fill in first name, second name & email to the admin user.

![alt_text](/user-management_saml-sso_keycloak-10-keycloak-admin.png "Keycloak Admin")

18. SSO configuration is now over, in order to verify it, open an incognito browser window and go to the Palette URL.

![alt_text](/user-management_saml-sso_keycloak-11-palette-sso.png "Palette SSO")

19. When clicking on “Sign In” you should be redirected to Keycloak where you can log in with “admin” credentials
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'Keycloak'?


20.

![alt_text](/user-management_saml-sso_keycloak-12-keycloak-sso.png "Keycloak SSO")

21. If you type the correct Keycloak password, you are going to be authenticated and forwarded back to Palette. That completes the initial goal.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'Keycloak'?


![alt_text](/user-management_saml-sso_keycloak-13-palette-logged-in.png "Palette logged in")

## OPTIONAL: Create a Team in Palette and add one more user in Keycloak
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'Keycloak'?


22. Get back to Palette setup, click on “Users & Teams” on the left and create a new Team using button on the top right “Create Team”

![alt_text](/user-management_saml-sso_keycloak-14-palette-groups.png "Palette groups")

23. Add a team “admins” and add “Project Admin” role to the “Default” project
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[Vale.Terms] Use 'admin' instead of 'Admin'.


24.

![alt_text](/user-management_saml-sso_keycloak-15-palette-project.png "Palette Project")

25. Then switch back to SSO parameters and make sure it’s the default Team for SSO users

![alt_text](/user-management_saml-sso_keycloak-16-palette-sso-admins.png "Palette SSO Admins")

26. Go back to Keycloak, click on “Users” on the left hand side and create a user, making sure “Username”, “Email”, “First Name” and “Last Name” are all filled in.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'Keycloak'?


![alt_text](/user-management_saml-sso_keycloak-17-keycloak-user.png "Keycloak user")

27. Then click on “Credentials” and set up some password

![alt_text](/user-management_saml-sso_keycloak-18-keycloak-password.png "Keycloak password")

28. Open another incognito window, go to Palette and log in with the newly created user in Keycloak. You should be automatically logged in Palette as admin!
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'Keycloak'?


![alt_text](/user-management_saml-sso_keycloak-19-keycloak-incognito.png "Keycloak incognito")

29. Voilà, the example is done, you should be logged in with the user from Keycloak without touching anything in Palette!
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[Google.Exclamation] Don't use exclamation points in text.


![alt_text](/user-management_saml-sso_keycloak-20-palette-user-logged-in.png "Palette user logged in")

Please contact us if you have any further questions on how to set up proper RBAC!
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[Google.Exclamation] Don't use exclamation points in text.

Loading