Keycloack is an open source Access Management solution by RedHat, aimed at modern applications and services. It supports several authentication and federation standards, including OpenID Connect.

Apache Syncope was recently equipped with OpenID Connect client features, allowing Single SignOn to Admin Console and Enduser UI; in the following, we are going to show how to integrate Apache Syncope with Keyloack, by leveraing the OpenID Connect protocol.

First of all, create a "docker-compose.yml" file. Take this as reference, so that you'll create the full Syncope suite (Core, Console, Enduser) running on a MySQL instance.
Here is a sample "docker-compose.yml" file content:

services:
  version: '3.3'
  db:
     image: mysql/mysql-server:5.7
     restart: always
     environment:
       MYSQL_DATABASE: syncope
       MYSQL_USER: syncope
       MYSQL_PASSWORD: syncope

   syncope:
     depends_on:
       - db
     image: apache/syncope:2.1.0
     ports:
       - "18080:8080"
     restart: always
     environment:
       DBMS: mysql
       DB_URL: jdbc:mysql://db:3306/syncope?characterEncoding=UTF-8&relaxAutoCommit=true&useSSL=false
       DB_USER: syncope
       DB_PASSWORD: syncope
       DB_POOL_MAX: 10
       DB_POOL_MIN: 2
       OPENJPA_REMOTE_COMMIT: sjvm

   syncope-console:
     depends_on:
       - syncope
     image: apache/syncope-console:2.1.0
     ports:
       - "28080:8080"
     restart: always
     environment:
       CORE_SCHEME: http
       CORE_HOST: syncope
       CORE_PORT: 8080

   syncope-enduser:
     depends_on:
       - syncope
     image: apache/syncope-enduser:2.1.0
     ports:
       - "38080:8080"
     restart: always
     environment:
       CORE_SCHEME: http
       CORE_HOST: syncope
       CORE_PORT: 8080
       DOMAIN: Master

Then, add a Keycloak instance to have a fully working Keycloak container. E.g.


  keycloak:
     image: jboss/keycloak:latest
     ports:
       - "8081:8080"
     restart: always
     links:
        - db
     environment:
       KEYCLOAK_LOGLEVEL: INFO
       KEYCLOAK_USER: admin
       KEYCLOAK_PASSWORD: admin
       DB_VENDOR: h2

In this example we use "h2" for in-memory database persistence.

Run:

$ docker-compose up -d

to pull, create and start all containers.

Go to http://localhost:8081 and access the Keycloak "Administration Console" with "admin" / "admin" credentials, as specified in the "docker-compose.yml" file.

Create a new OIDC Client on Keycloak

From the Keycloak Admin Console, go to "Clients", click "Create" and fill "Client ID" and "Client Protocol" fields:

Click "Save" and fill other fields like this:

It is important to specify the following entries in the "Valid Redirect URIs" field list:

Save the new client!

Now, you need to note down the name of the new created client (the "Client ID"), "syncope-oidc" in our example, and the "Client Secret" token (you can find it in "Clients" -> "account" item -> "Credentials" tab -> "Secret").

Let's now create a Keycloak user that we'll use to access Syncope using the OIDC authentication.
Still from left panel, select "Users" -> "Add User" button and enter something like this:

Save the user!

Add a new Syncope OIDC Provider

Go to http://localhost:28080/syncope-console and access the Syncope Admin Console with default "admin" / "password" credentials.

From left panel, select "Extensions" -> "OIDC Client" and add a new OIDC Provider by clicking on the "+" icon.
Here is an example:

Click "Next", here you need to find the Docker IP of the "Keycloak" running container. Use the following command:

 $ docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' [KEYCLOAK_CONTAINER_NAME]

Now you can enter http://[CONTAINER_IP]:8080/auth/realms/master (note that the port is "8080" and not "8081"):
;
It is the Base URL of the related Keycloak realm.
Click "Next" again and enter a mapping for the new created users from Keycloak. E.g.

Note that you can use the same method to login to Syncope Enduser ( http://localhost:38080/syncope-enduser)

3 VOTIGoodGood
Ti è stato utile questo articolo?
Dal Blog di Tirasa
Quello che facciamo, studiamo e pensiamo tutti i giorni lo condividiamo qui.
Vai al blog >