Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

TOC training KeyCloak Redhat SSO core

382 views

Published on

Table des matières du support de cours KeyCloak - Redhat SSO core

Published in: Software
  • Be the first to comment

TOC training KeyCloak Redhat SSO core

  1. 1. Training Keycloak – Redhat SSO core Décembre 2018
  2. 2. Table des matières 1 History............................................................................................................................................12 2 Prerequisites...................................................................................................................................13 2.1 Presentation.............................................................................................................................13 2.2 Cloning Rh-SSO quickstart examples....................................................................................13 2.3 Cloning Keycloak examples...................................................................................................14 2.3.1 Clone Project...................................................................................................................14 2.3.2 Compiling keycloak........................................................................................................14 3 Starting with RH-SSO....................................................................................................................15 3.1 Overview.................................................................................................................................15 3.2 Prerequisite.............................................................................................................................15 3.3 Installing RH-SSO from zip file.............................................................................................15 3.3.1 Installation command......................................................................................................16 3.4 RH-SSO Layout......................................................................................................................16 3.5 Starting RH-SSO.....................................................................................................................16 3.6 Admin Account creation.........................................................................................................22 3.7 Realms....................................................................................................................................24 3.7.1 Creating a new realm......................................................................................................24 3.7.2 Create user1 in demo realm.............................................................................................27 3.8 Installing JBoss EAP 7 server's...............................................................................................31 3.9 Starting Jboss EAP Server......................................................................................................31 3.10 Installing RH-SSO Jboss Adapter.........................................................................................34 3.11 Building and cloning RH-SSO sample.................................................................................35 3.12 Basic application login..........................................................................................................37 3.13 Registering the vanilla application with RH-SSO................................................................38 3.14 Displaying Keycloak Vanilla client information...................................................................39 3.15 Updating vanilla application configuration to connect to RH-SSO.....................................40 3.16 Test of application.................................................................................................................41 3.17 pointers..................................................................................................................................43 4 Using RH-SSO with client applications.........................................................................................44 4.1 Overview.................................................................................................................................44 4.2 Demo Template Example........................................................................................................44 4.3 realm demo preparation..........................................................................................................45 4.3.1 Creating realm demo.......................................................................................................46 4.3.2 Creating demo Roles.......................................................................................................47 4.3.3 Default Role....................................................................................................................48 4.3.4 Adding a user to the demo realm....................................................................................49 4.4 Adding Customer portal application.......................................................................................52 4.4.1 Creating customer client application...............................................................................52 4.4.2 Inside Add Client window...............................................................................................53 4.4.3 Customer-portal Client....................................................................................................54 4.4.4 Client Credentials............................................................................................................54 4.4.5 Customer-portal JSON file format..................................................................................55 4.4.6 Compiling customer-portal webapp................................................................................56 Preparing customer-app directory........................................................................................56 Adding keycloak.json file.....................................................................................................56 Sources Modifications..........................................................................................................57 Compiling customer and deploying customer-app...............................................................57
  3. 3. 4.4.7 Logging to customer-portal app......................................................................................59 4.5 Adding Product Portal.............................................................................................................60 Registering Product Portal....................................................................................................60 Using JWKS URI for authentication....................................................................................62 Keycloak.json file.................................................................................................................63 JKS keystore (Information)..................................................................................................64 4.5.1 Sources Modifications.....................................................................................................67 4.5.2 Compiling product portal app.........................................................................................68 4.5.3 Connecting to product portal app....................................................................................69 4.6 Database service.....................................................................................................................71 4.6.1 Adding database service client application.....................................................................72 4.6.2 Configuring Bearer only authentication scheme.............................................................72 4.6.3 keycloak Json file for Database Services........................................................................73 4.6.4 Compiling and deploying database service.....................................................................74 4.6.5 Testing customer display with database services............................................................76 4.7 Common Mistake....................................................................................................................77 4.8 Pointers...................................................................................................................................78 5 Understanding Oauth2 and OpenID...............................................................................................79 5.1 Oauth2 Presentation................................................................................................................79 5.2 Oauth2 Elements.....................................................................................................................79 5.2.1 Oauth Roles.....................................................................................................................79 5.2.2 Tokens.............................................................................................................................80 5.2.3 Scopes:............................................................................................................................80 5.2.4 Oauth2 Flows..................................................................................................................80 5.2.5 Security...........................................................................................................................81 5.3 Client Registration..................................................................................................................81 5.4 Authorization Code Grant.......................................................................................................81 5.5 Implicit Flow...........................................................................................................................85 5.6 Resource Owner Password Credentials(Ropc).......................................................................87 6 Understanding OpenID Connect (OIDC).......................................................................................90 6.1 Overview.................................................................................................................................90 6.2 OpenID sequence flow............................................................................................................91 6.3 OpenID flows..........................................................................................................................91 6.4 Authorization Code flow.........................................................................................................92 6.5 Implicit Flow...........................................................................................................................98 6.6 ID token analysis....................................................................................................................99 7 Debugging and analysing a RH-SSO example.............................................................................102 7.1 Overview...............................................................................................................................102 7.2 RH-SSO quickstart app-jsp example....................................................................................102 7.2.1 Prerequisites:.................................................................................................................102 7.2.2 app-jsp application creation.........................................................................................102 7.2.3 Client configuration......................................................................................................103 7.2.4 Client Credentials..........................................................................................................104 7.2.5 app-jsp json configuration export.................................................................................104 7.2.6 Deploying the app-jsp application................................................................................105 7.3 Creating a user......................................................................................................................106 7.3.1 Json file import..............................................................................................................106 7.3.2 Using the admin console...............................................................................................108 7.3.3 Create Roles and User...................................................................................................108
  4. 4. 7.4 Login to the app....................................................................................................................108 7.5 Checking Request Headers and Response Headers of the /authenticate endpoint request...111 7.6 Using jwt.io debugger...........................................................................................................112 7.7 Checking Cookie within Chrome..........................................................................................114 7.7.1 Accessing to the Chrome cookie...................................................................................115 7.7.2 Accessing to the Firefox Cookie..................................................................................115 8 Using REST API with RH-SSO...................................................................................................117 8.1 Presentation...........................................................................................................................117 8.2 App-js application.................................................................................................................117 8.3 Realm endpoints - .well-known/openid-configuration.........................................................117 8.3.1 RH-SSO endpoint URLs...............................................................................................117 8.3.2 Using .well-known/openid-configuration......................................................................118 8.4 admin-cli Client application..................................................................................................121 8.4.1 Getting an admin Bearer token with the admin CLI.....................................................121 8.4.2 Using admin Bearer Token in Rest API query..............................................................125 Get the top-level representation of the realm..........................................................................125 8.4.3 Using another admin user with admin-cli.....................................................................130 8.4.4 Listing the number of sessions present on a realm.......................................................131 8.5 Using kcadm.........................................................................................................................135 8.5.1 .keycloak registry..........................................................................................................135 8.5.2 Using kcadm.................................................................................................................136 8.5.3 Security measure with kcadm.......................................................................................136 8.6 Usage of REST API with realm endpoints...........................................................................137 8.6.1 App-jsp information......................................................................................................137 8.6.2 Performing a ROPC query to the /token endpoint........................................................137 8.6.3 Using the userinfo and introspect endpoints.................................................................139 8.7 Using Refresh Token using ropc...........................................................................................144 8.7.1 Ropc query to generate access and refresh tokens........................................................144 8.7.2 Performing the query using the refresh token...............................................................146 8.8 Using mod_auth_openidc.....................................................................................................149 8.8.1 Presentation...................................................................................................................149 8.8.2 Putting mod_auth_openidc in place..............................................................................149 8.8.3 Enabling mod_auth_openidc module with apache2.....................................................149 8.8.4 Configuring RH-SSO Server for mod_auth_openidc...................................................150 8.8.5 Configuration of the realm external login – SSL set to none.......................................151 8.8.6 Configuration of mod_auth_openidc module...............................................................152 8.8.7 Testing module mod_auth_openidc..............................................................................154 9 Using OpenID protocol to connect to an IDP provider................................................................156 9.1 Presentation...........................................................................................................................156 9.2 FranceConnect......................................................................................................................156 9.2.1 Register with FranceConnect........................................................................................156 9.2.2 Information display.......................................................................................................161 9.3 France Connect Endpoints....................................................................................................161 9.4 Dummy test user IDP creation..............................................................................................161 9.5 RH-SSO configuration + IDP post configuration.................................................................163 9.5.1 Create of an identity provider.......................................................................................163 9.6 Configuring RH-SSO identity provider................................................................................164 9.7 Adding identity provider mappers........................................................................................166 9.8 Post Configuration task of IDP configuration......................................................................167
  5. 5. 9.9 Tests......................................................................................................................................169 9.9.1 Application Test.............................................................................................................169 9.10 Account Linking.................................................................................................................172 10 SAML V2 Presentation...............................................................................................................174 10.1 What is SAML ?.................................................................................................................174 10.2 SAML References...............................................................................................................174 10.3 SAML 2.0 in short..............................................................................................................174 10.3.1 SAML V2 features......................................................................................................174 10.3.2 Major Key elements....................................................................................................175 10.4 SAML Components............................................................................................................177 10.5 SAML elements (used by RH-SSO)...................................................................................179 10.5.1 SP Element..................................................................................................................179 10.5.2 SP Keys and Key elements..........................................................................................180 10.5.3 KeyStore element........................................................................................................180 10.5.4 Key PEMS...................................................................................................................181 10.5.5 SP PrincipalNameMapping element...........................................................................181 10.5.6 RoleIdentifiers element..............................................................................................181 10.5.7 IDP Element...............................................................................................................182 10.5.8 IDP SingleSignOnService sub element.......................................................................182 10.5.9 IDP SingleLogoutService sub element.......................................................................183 10.5.10 IDP Keys subelement...............................................................................................184 10.6 XML SAML Examples.......................................................................................................184 10.6.1 Post Request example.................................................................................................184 10.6.2 Response Extract.........................................................................................................185 11 SAML broker example with with RH-SSO................................................................................186 11.1 Presentation.........................................................................................................................186 11.2 RH-SSO consideration........................................................................................................186 11.3 Preparing RH-SSO – adding SAML adapter......................................................................186 11.4 Adding SAML tracer to Firefox..........................................................................................188 11.5 Launching RH-SSO............................................................................................................189 11.6 Compiling and deploying the example...............................................................................189 11.7 Creating both realms in RH-SSO........................................................................................189 11.8 Understanding the SAML broker applications...................................................................190 11.8.1 Saml Broker realm......................................................................................................190 11.8.2 saml-broker-authentication-realm...............................................................................193 11.9 CORS enabled.....................................................................................................................196 11.10 SAML Scenario in action..................................................................................................196 11.11 Adding attribute mapper on the identity provider.............................................................198 11.12 Checking details of a built-in member (givenName)........................................................199 11.13 Debugging SAML exchange............................................................................................200 11.13.1 Using Firefox plugin add on......................................................................................200 11.13.2 Analyzing content of a response with SAML tracer.................................................201 11.14 Adding SAML attributes to the SP..................................................................................202 11.15 Complete Scenario...........................................................................................................204 11.16 User in Saml-authentication-realm...................................................................................204 12 SAML Integration with an external IDP (OKTA)......................................................................206 12.1 Overview.............................................................................................................................206 12.2 Configuring Okta as an IDP................................................................................................206 12.2.1 Create an OKTA account............................................................................................206
  6. 6. 12.2.2 Configuring OKTA IDP..............................................................................................210 12.2.3 Prepare Data for the SP...............................................................................................215 12.2.4 Adjusting SAML Setting if necessary.........................................................................216 12.2.5 Registering a user with OKTA....................................................................................217 12.3 Configuring RH-SSO as a service provider........................................................................219 12.3.1 Creating saml_okta_idp..............................................................................................219 12.3.2 Adding Attribute mapper.............................................................................................220 12.4 Using Federation.................................................................................................................222 12.4.1 Check users.................................................................................................................222 12.4.2 Log to SP client application........................................................................................222 12.4.3 Checking Users...........................................................................................................224 12.4.4 Account Linking..........................................................................................................225 13 Understanding Authorization Services with Redhat SSO..........................................................226 13.1 Presentation.........................................................................................................................226 13.2 Key Concepts of RH-SSO Authorization service...............................................................227 13.3 Components of an Authorization Service...........................................................................227 13.4 Resources............................................................................................................................227 13.5 Authorization Scopes..........................................................................................................228 13.6 Policies................................................................................................................................228 13.6.1 Role Policy..................................................................................................................229 13.6.2 JavaScript Role..........................................................................................................229 13.7 photoz-restful-api Authorization Policies...........................................................................229 13.8 Permission...........................................................................................................................230 13.8.1 Resource – policy permission match...........................................................................230 13.8.2 Scope – policy permission match................................................................................230 13.9 Putting it all together – Tailoring authorization Service to your architecture needs..........231 13.10 Pointers.............................................................................................................................231 14 Using a simple RH-SSO Authorization example.......................................................................232 14.1 Securing a Servlet Application...........................................................................................232 14.2 Creating a Realm and a User..............................................................................................232 2.3. Enabling Authorization Services..........................................................................................234 14.3 Build, Deploy, and Test Your Application..........................................................................237 14.3.1 Obtaining the Adapter Configuration..........................................................................237 14.4 Building and Deploying the Application............................................................................240 14.4.1 Testing the Application..............................................................................................240 15 Authorization access using Role based users.............................................................................242 15.1 Overview.............................................................................................................................242 15.2 Using the keycloak authz example.....................................................................................242 15.2.1 Source location............................................................................................................242 15.2.2 adapting example sources to RH-SSO infrastructure..................................................242 15.3 Installing servlet_authz-example in RH-SSO server's........................................................243 15.3.1 Realm creation............................................................................................................243 15.3.2 Importing Authorization..............................................................................................243 15.3.3 Adapting RH-SSO clients Urls...................................................................................244 15.4 Compiling and deploying servlet-authz sources.................................................................247 15.5 Authorization example test.................................................................................................247 15.5.1 Logging with restricted privileges..............................................................................247 15.5.2 Using Premium Users................................................................................................249 15.6 Detailed authorization scheme analysis..............................................................................251
  7. 7. 15.6.1 Resources....................................................................................................................251 15.6.2 Scopes.........................................................................................................................252 15.6.3 Policies........................................................................................................................253 15.6.4 Permission...................................................................................................................254 Resource based permission................................................................................................254 scope permission policies...................................................................................................255 16 Fine Grain Authorization – UMA policy....................................................................................257 16.1 Presentation.........................................................................................................................257 16.2 UMAAuthorisation Service documentation.......................................................................257 16.3 About the Example Application..........................................................................................257 16.4 Building the keycloak/auth/photoz example.......................................................................258 16.4.1 Creating the photoz-realm..........................................................................................258 16.4.2 Build examples............................................................................................................259 16.4.3 Import Photoz server resource permission..................................................................259 16.5 Deploy and Run the Example Applications........................................................................259 16.5.1 Example (being logged Alice).....................................................................................260 16.5.2 Example (being logged Admin)..................................................................................260 16.5.3 Misc about the examples.............................................................................................261 17 RH-SSO LDAP integration........................................................................................................263 17.1 Presentation.........................................................................................................................263 17.2 Pointers...............................................................................................................................263 17.3 Keycloak LDAP example...................................................................................................263 17.3.1 Overview.....................................................................................................................263 17.3.2 Building and deploying demo LDAP application.......................................................264 17.4 Examining the LDAP example using Jexplorer.................................................................264 17.4.1 Connecting with Jexplorer to the LDAP instance.......................................................264 17.4.2 Displaying Roles at LDAP level.................................................................................266 17.5 Creating ldap-portal realm (manual creation).....................................................................267 17.5.1 Ldap-test realm creation..............................................................................................267 17.5.2 Adding LDAP Provider to the ldap-test realm............................................................268 17.5.3 Configuring LDAP Provider.......................................................................................268 17.5.4 RH-SSO LDAP synchronization policy......................................................................270 17.5.5 Mappers.......................................................................................................................271 .....................................................................................................................................................273 17.6 Ldap-demo realm (Json import).........................................................................................273 17.7 Building and Deploying ldap-portal webapp......................................................................274 17.7.1 Modifications..............................................................................................................274 17.7.2 Changes to be done.....................................................................................................274 17.8 Logging to RH-SSO............................................................................................................274 17.8.1 RH-SSO ldap-demo login page...................................................................................274 17.8.2 Logging to the ldap demo webapp..............................................................................275 18 Relation Database Setup.............................................................................................................277 18.1 Presentation.........................................................................................................................277 18.2 Postgresql DB installation and preparation.......................................................................277 18.2.1 Installing PostgreSQL (Ubuntu)..................................................................................277 18.2.2 Installing PostgreSQL (RedHat Linux).......................................................................277 18.2.3 Change postgresql password.......................................................................................278 18.2.4 pg_hba.conf update.....................................................................................................278 18.2.5 Authentication test......................................................................................................279
  8. 8. 18.3 Creating the keycloak DB...................................................................................................279 18.4 PostgreSql RDBMS with RH-SSO.....................................................................................279 18.4.1 PostgreSql driver download........................................................................................279 18.4.2 PostgreSql driver installation......................................................................................279 18.4.3 Module.xml file...........................................................................................................280 18.4.4 JDBC driver update.....................................................................................................281 18.4.5 Driver section update..................................................................................................281 18.4.6 Datasource section update...........................................................................................281 18.5 Testing the whole................................................................................................................282 19 Importing/Exporting Keycloak configuration............................................................................288 19.1 Presentation.........................................................................................................................288 19.2 Import/export commands....................................................................................................288 19.2.1 Exporting to a single file.............................................................................................288 19.2.2 Exporting to a directory..............................................................................................288 19.2.3 Imports........................................................................................................................288 19.3 Options................................................................................................................................289 20 RH-SSO Security........................................................................................................................290 20.1 Security Best Practices........................................................................................................290 20.2 Defining Keystore...............................................................................................................290 20.2.1 PKI – Self Cert – CAAuthorithy................................................................................290 20.3 SSL - Keystore (InBound Request)...................................................................................291 20.3.1 Generating self cert.....................................................................................................291 20.3.2 Customizing standalone.xml with ssl..........................................................................291 20.4 Checking RH-SSO HTTPS connection..............................................................................292 20.4.1 Starting RH-SSO Server.............................................................................................292 20.4.2 Checking SSL connection using openssl....................................................................292 20.4.3 Checking HTTPS connection......................................................................................294 20.5 TrustStore (OUtbound Request).........................................................................................297 20.6 Differences between when using self signed and signed certificates.................................298 21 RH-SSO Networking..................................................................................................................299 21.1 RH-SSO Port presentation – standalone.xml (standalone-ha.xml).....................................299 21.2 Usage of each port..............................................................................................................300 21.3 Disabling http and AJP for RH-SSO...................................................................................300 21.4 RH-SSO Multicast Groups.................................................................................................301 21.5 RH-SSO multicast Group with clustering..........................................................................302 21.5.1 Jgroups - multicast......................................................................................................302 21.5.2 ModCluster - multicast................................................................................................302 22 RH-SSO Clustering Operating Modes.......................................................................................303 22.1 Presentation.........................................................................................................................303 22.2 Standalone cluster mode.....................................................................................................303 22.2.1 Standalone clustered mode layout...............................................................................303 22.3 Getting useful values of standalone-ha.xml........................................................................304 22.3.1 Starting a standalone cluster node...............................................................................305 22.3.2 Implication when using clustering mode standalone-ha.xml......................................305 22.4 domain clustered.................................................................................................................306 22.4.1 Domain cluster layout.................................................................................................306 22.4.2 Master Node................................................................................................................307 22.4.3 slave node....................................................................................................................307 22.5 Clustered Domain Example................................................................................................308
  9. 9. 22.5.1 Configuring the slave secret key.................................................................................308 22.6 Creating an admin master user............................................................................................310 22.6.1 Adding an admin user using add-user-keycloak.sh.....................................................310 22.6.2 Adding keycloak-add-user.json to master server.........................................................311 22.7 Starting Servers...................................................................................................................311 22.7.1 Starting the master......................................................................................................312 22.7.2 Starting the slave.........................................................................................................312 22.8 Add app_vanilla profile client application to the clustered................................................312 22.9 Limitation of the domain cluster example..........................................................................312 23 Using modcluster with Standalone HA cluster deployment.......................................................313 23.1 Presentation.........................................................................................................................313 23.2 ModCluster – Apache SW load Balancer...........................................................................313 23.2.1 Presentation.................................................................................................................313 23.2.2 Mod_cluster and multicast group................................................................................313 23.2.3 Mod_cluster with RH-SSO.........................................................................................313 23.3 Clustering standalone HA example.....................................................................................315 23.3.1 Presentation.................................................................................................................315 23.3.2 Limitation....................................................................................................................315 23.3.3 Setting >RH-SSO requires SSL to none.....................................................................315 23.3.4 Mod_Cluster configuration.........................................................................................316 23.3.5 Commands used..........................................................................................................318 23.3.6 Testing Modcluster......................................................................................................318 23.4 Testing application failover.................................................................................................319 24 SPI testing integration – High available environment................................................................322 24.1 Overview.............................................................................................................................322 24.2 Event SPI............................................................................................................................322 24.2.1 Deploying the Jar file..................................................................................................322 24.2.2 Registering the SPI in standalone-ha.xml...................................................................322 24.3 SPI various use cases..........................................................................................................323 24.3.1 Use case 1 – Both nodes are UP..................................................................................323 24.3.2 Use case 2 – Node1 brought Down.............................................................................324 24.4 SPI interaction with keycloak in clustering mode..............................................................324 25 RH-SSO Clustering best practices - Recommendation..............................................................325

×