|
| 1 | +# FreeIPA external IDP integration with Keycloak |
| 2 | + |
| 3 | +In this example an environment with a [FreeIPA](https://freeipa.org) |
| 4 | +and a [Keycloak](https://keycloak.org) servers is created so that user |
| 5 | +authentication in IPA, using an external IDP is performed. |
| 6 | + |
| 7 | +## Preparing the environment |
| 8 | + |
| 9 | +Create the configuration: |
| 10 | + |
| 11 | +``` |
| 12 | +python3 -m venv /tmp/ipalab |
| 13 | +. /tmp/ipalab/bin/activate |
| 14 | +pip install -r requirements.txt |
| 15 | +``` |
| 16 | + |
| 17 | +Build the container image and instantiate containers: |
| 18 | + |
| 19 | +``` |
| 20 | +ipalab-config lab_ipa_keycloak.yml |
| 21 | +cd ipa-keycloak-idp |
| 22 | +podman-compose build |
| 23 | +podman-compose up -d |
| 24 | +``` |
| 25 | + |
| 26 | +At this point, you'll have two containers, one based on the oficial |
| 27 | +Keycloak container image, and one that can have IPA deployed to. |
| 28 | + |
| 29 | +Deploy the IPA cluster using |
| 30 | +[ansible-freeipa](https://gtihub.com/freeipa/ansible-freeipa): |
| 31 | + |
| 32 | +``` |
| 33 | +ansible-galaxy collection install \ |
| 34 | + freeipa.ansible_freeipa \ |
| 35 | + containers.podman |
| 36 | +ansible-playbook -i inventory.yml \ |
| 37 | + ${HOME}/.ansible/collections/ansible_collections/freeipa/ansible_freeipa/playbooks/install-cluster.yml |
| 38 | +``` |
| 39 | + |
| 40 | +The provided Keycloak container uses a self-signed certificate that is |
| 41 | +unkown to the IPA container. The certificate is found in the container |
| 42 | +`keycloak` at the path `/opt/keycloak/conf/cert.pem`. This certificate |
| 43 | +must be added to the list of trusted certificates on the `server` |
| 44 | +container. This can be achieved by executing: |
| 45 | + |
| 46 | +``` |
| 47 | +keycloak/trust_keycloak.sh server |
| 48 | +``` |
| 49 | + |
| 50 | +## Using Keycloak web interface |
| 51 | + |
| 52 | +Since the whole environment runs using rootles containers, in a Podman |
| 53 | +virtual network, direct access to the host ports is not possible, but |
| 54 | +can be achieved using `podman unshare`. For example, to _ssh_ into the |
| 55 | +container (if `sshd` is available) or to access the `httpd` server. |
| 56 | + |
| 57 | +When using [Firefox](https://mozilla.org/firefox) a profile is needed |
| 58 | +to access the containers URLs, and to ease access the script |
| 59 | +`scripts/open-firefox.sh` is provided. This script will manage the |
| 60 | +Firefox profile and call `firefox` with the proper configuration for |
| 61 | +`podman unshare`, allowing access to Keycloak and WebUI. |
| 62 | + |
| 63 | +Before starting Firefox, add the entries found in the generated `hosts` |
| 64 | +file to your machine `/etc/hosts` so the host names can be resolved. The |
| 65 | +file `hosts` has all the containers entries needed, add it with: |
| 66 | + |
| 67 | +``` |
| 68 | +sudo bash -c "cat hosts >> /etc/hosts" |
| 69 | +``` |
| 70 | + |
| 71 | +Start the Keycloak web interface with: |
| 72 | + |
| 73 | +``` |
| 74 | +scripts/open-firefox.sh https://keycloak.example.test:8443 |
| 75 | +``` |
| 76 | + |
| 77 | +In a similar fashion you can access the IPA WebUI with: |
| 78 | + |
| 79 | +``` |
| 80 | +scripts/open-firefox.sh https://server.ipa.test:443 |
| 81 | +``` |
| 82 | + |
| 83 | + |
| 84 | +## Setting up Keycloak as an External IDP for IPA |
| 85 | + |
| 86 | +In order to perform OAuth 2.0 device authorization grant flow against |
| 87 | +an IdP, an OAuth 2.0 client has to be registered with the IdP and a |
| 88 | +capability to allow the device authorization grant has to be given to it. |
| 89 | + |
| 90 | +On Keycloak, this is achieved by setting _OAuth 2.0 Device Authorization Grant_, |
| 91 | +in the _Authentication Flow_, to `true`. |
| 92 | + |
| 93 | +The configuration required for the Keycloak client is: |
| 94 | + |
| 95 | +```json |
| 96 | +{ |
| 97 | + "enabled" : true, |
| 98 | + "clientAuthenticatorType" : "client-secret", |
| 99 | + "redirectUris" : [ "https://${IPASERVER}/ipa/idp/*" ], |
| 100 | + "webOrigins" : [ "https://${IPASERVER}" ], |
| 101 | + "protocol" : "openid-connect", |
| 102 | + "attributes" : { |
| 103 | + "oauth2.device.authorization.grant.enabled" : "true", |
| 104 | + "oauth2.device.polling.interval": "5" |
| 105 | + } |
| 106 | +} |
| 107 | +``` |
| 108 | + |
| 109 | +Note that `oauth2.device.authorization.grant.enabled` is enabled. |
| 110 | + |
| 111 | +To create the OIDC client for Keycloak, you can use the script provided |
| 112 | +by `ipalab-config`. The script requires the IPA FQDN, an OIDC client ID |
| 113 | +and the OIDC client password. Execute: |
| 114 | + |
| 115 | +``` |
| 116 | +keycloak/keycloak_add_oidc_client.sh \ |
| 117 | + server.ipa.test \ |
| 118 | + ipa_oidc_client \ |
| 119 | + Secret123 |
| 120 | +``` |
| 121 | + |
| 122 | +Now, we can set the external IDP on IPA, either by using the `idp-add` |
| 123 | +CLI command, or with a playbook, using ansible-freeipa: |
| 124 | + |
| 125 | +``` |
| 126 | +ansible-playbook -i inventory.yml playbooks/idp_keycloak.yml |
| 127 | +``` |
| 128 | + |
| 129 | +## Testing the setup |
| 130 | + |
| 131 | +To test the setup, create a user on Keycloak using: |
| 132 | + |
| 133 | +``` |
| 134 | +keycloak/keycloak_add_user.sh jdoe [email protected] userPASS |
| 135 | +``` |
| 136 | + |
| 137 | +Perform login with user `jdoe` on Keycloak web interface: |
| 138 | + |
| 139 | +``` |
| 140 | +scripts/open-firefox.sh https://keycloak.example.test:8443/realms/master/account |
| 141 | +``` |
| 142 | + |
| 143 | +And add a user on IPA, with authorization through IDP: |
| 144 | + |
| 145 | +``` |
| 146 | +ansible-playbook -i inventory.yml playbooks/add_user_auth_idp.yml |
| 147 | +``` |
| 148 | + |
| 149 | +Now to authorize the new user, the commands should be execute on the |
| 150 | +`server` container: |
| 151 | + |
| 152 | +``` |
| 153 | +podman exec -it server bash |
| 154 | +``` |
| 155 | + |
| 156 | +On the `server`, execute: |
| 157 | + |
| 158 | +``` |
| 159 | +[server]$ kinit -n -c ./fast.ccache |
| 160 | +[server]$ kinit -T ./fast.ccache jdoe |
| 161 | +Authenticate at https://keycloak.example.test:8443/realms/master/device?user_code=GKTH-BJSS and press ENTER.: |
| 162 | +``` |
| 163 | + |
| 164 | +Copy the provided link to the same Firefox window as `jdoe` has logged in, and grant the required authorization. |
| 165 | + |
| 166 | +When back to the console, type ENTER, and if everything went fine, user will have a TGT for `jdoe` on IPA side: |
| 167 | + |
| 168 | +``` |
| 169 | +[server]$ klist -A |
| 170 | +Ticket cache: FILE:/tmp/krb5cc_0 |
| 171 | +Default principal: [email protected] |
| 172 | +
|
| 173 | +Valid starting Expires Service principal |
| 174 | +05/09/25 16:34:00 05/10/25 16:18:52 krbtgt/[email protected] |
| 175 | +``` |
| 176 | + |
| 177 | +## Troubleshooting |
| 178 | + |
| 179 | +If anything goes wrong, you can search `journalctl` for `ipa-otpd` |
| 180 | +entries. |
| 181 | + |
| 182 | +To increase the log level, set the `oidc_child` debug level in |
| 183 | +`/etc/ipa/default.conf` by setting: |
| 184 | + |
| 185 | +``` |
| 186 | +[global] |
| 187 | +oidc_child_debug_level=10 |
| 188 | +``` |
| 189 | + |
| 190 | +Valid values are between 0 and 10 and any value above 6 includes debug |
| 191 | +output from `libcurl` utility. |
0 commit comments