SSO

---

Note: This guide is mostly outdated. Please have a look at the Developer Guide instead – http://download.eclipse.org/kapua/docs/develop/developer-guide/en/sso.html

---

OpenID Connect SSO setup

In order to setup OpenID Connect on Kapua Console you will need to setup an OpenID Connect Identity Provider, i.e. an authentication server who will contain the user authentication informations, and configure the new Kapua Console (console-v2) to use said server as an identity provider. In this page we'll go through both tasks using Keycloak as a reference for the Indentity Provider server.

Setting up the server

Note: Keycloak administration guides and best practices are outside the scope of this Wiki. For more informations visit Keycloak documentation.

1. Download Keycloak

   First you have to download Keycloak and run it. Go to Keycloak download page and choose the Standalone distribution.

2. Configure and run Keycloak server

   Once the download completes, extract the archive. If you need to configure Keycloak server, such as HTTP port or binding, you can edit the file standalone/configuration/standalone.xml; once you are done run the startup script:

   $ bin/standalone.sh 
   

   Keycloak server will startup and listen on the configured HTTP port. Open an HTML browser and point to the Keycloak URL; you will be prompted to create the first Keycloak admin user. Proceed, then click on the "Administration console" link and use the credentials you just created to enter the Keycloak Administration Console.

3. Create a new Keycloak application

   Once in the Keycloak Administration Console, click on the "Clients" section on the left menu, and then the "Create" button on the top right corner of the clients table. In the new page, enter a Client ID of your choice, be sure to select "openid-connect" as the protocol, then click on the Create button. Take note of the Client ID you enter here, because you will need to enter it later in the Kapua Console configuration file.

4. Configuring the Keycloak application

   Now that the application has been created there are a lot more parameters that can be configured. However you only have to make sure to keep ON the Enabled switch and the Standard Flow Enabled switch; additionally, enter http://localhost:3000 (or the address where you will run the Kapua Console if different) in the Valid Redirect URIs field. Set the "Access Type" to "public".

5. (Optional) Create a Keycloak user

   Since Keycloak will handle the user authentication in a Single Sign On, it will be the one to know about user identities that are entitled to log in the Kapua Console. Even if you can use the same admin user we just created for the Keycloak Administration Console to log in the Kapua Console, different users should be configured to access the Kapua Console via Keycloak. To do so, just click on the "Users" section on the left menu of the Keycloak Administration Console, then click on "Add user" in the top right corner of the Users table

Setting up the Kapua GWT Console

In order to configure the Kapua GWT console you need to check, and edit if needed, some of the parameters in the file console/src/main/resources/console-setting.properties. These values are:

• site.home.uri: The url of the Kapua Console Homepage, that will be the final redirection location after a successful token exchange. Default value: http://localhost:8889/console.jsp?gwt.codesvr=127.0.0.1:9997
• sso.enabled: Whether to enable or not the SSO Login button. Default value: true
• sso.openid.server.endpoint.auth: The OpenID Connect Authorization Endpoint. Default value: http://localhost:9090/auth/realms/master/protocol/openid-connect/auth
• sso.openid.server.endpoint.token: The OpendID Connect Token Endpoint. Default value: http://localhost:9090/auth/realms/master/protocol/openid-connect/token
• sso.openid.client.id: The OpenID Connect application name. Default value: console
• sso.openid.redirect.uri: The location of the page who will receive the OpenID Connect Authorization Code and will exchange it for an OpenID Connect Access Token. Default value: http://localhost:8889/sso/callback
• authentication.credential.jwt.issuer.allowed: The location of allowed issuers. Default value: http://localhost:9090/auth/realms/master

After changing any of these values, the Kapua GWT Console should be restarted.

Setting up the Kapua Patternfly Console

First of all, make sure that the Kapua Patternfly Console is compiled and ready to run by reading its README. Before starting it, open the console-v2/ui/src/kapua-console.config.json. Here you have to configure the following fields:

• oauth.currentIdentityProvider: The name of the configuration section to be used
• oauth.customIdentityProviders.[sectionName]: The beginning of a new configuration section. the oauth.currentIdentityProvider must be equal to one of these keys.
• oauth.customIdentityProviders.[sectionName].clientId: The Client ID to provide to Keycloak. Here you have to enter the Client ID you entered on step 3.
• oauth.customIdentityProviders.[sectionName].redirectUri: The URI where Keycloak will redirect the browser after a successful authentication. Enter the base URI of the Kapua Console.
• oauth.customIdentityProviders.[sectionName].authorizationEndpoint: The Authorization Endpoint URI. This is dependant on how you configured the Identity Provider server; if you followed this Wiki page from the beginning it will be http://[keycloak_server_uri]/auth/realms/master/protocol/openid-connect/auth.
• oauth.customIdentityProviders.[sectionName].url: The URL of the page who will receive the Authorization Code from the Identity Provider to be exchanged with an Access Token. Most of the times you only have to change the address if you run the Kapua Console on a different address and port, and leave the path unchanged.
• login.mode: set it to sso to enable SSO login, or both to enable both SSO and username / password login.

Once you configured this parameters you can run the Kapua Console application (again, read its README for more details).