From 6b3f2711cb93f4e06f287f2e25cffefa62247901 Mon Sep 17 00:00:00 2001 From: root Date: Wed, 5 May 2021 20:04:32 +0200 Subject: [PATCH] Moved the SAML integration to digitaldemocratic docs --- SAML_README.md | 251 ------------------------------------------------- 1 file changed, 251 deletions(-) delete mode 100644 SAML_README.md diff --git a/SAML_README.md b/SAML_README.md deleted file mode 100644 index 61bef69..0000000 --- a/SAML_README.md +++ /dev/null @@ -1,251 +0,0 @@ -# KEYCLOAK - -## Create sample users - -1. https://sso. - -# Moodle - -1. Activate SAML2 plugin -2. Regenerate SP certificate: https://moodle./auth/saml2/regenerate.php and lock it down -3. Download SAML2 Service Provider xml: https://moodle./auth/saml2/sp/metadata.php -4. Import this SP in keycloak IDP: https://sso./auth/admin/master/console/#/create/client/poc -5. Add builtin email, givenname and surname field mappers (https://sso./auth/admin/master/console/#/realms/poc/clients/b7781aac-5aa5-441a-8af5-aca7cc0a1daf/mappers) -6. Copy keycloak SAML IDP xml data (https://sso./auth/realms/poc/protocol/saml/descriptor) to moodle (IdP metadata xml OR public xml URL: https://moodle./admin/settings.php?section=authsettingsaml2). Note that you should copy it from a text editor, not the content from the browser view! - -## Configuration - -- Auto create users: Yes -- Role Mapping: Configure the same roles you created in keycloak for users (administratos, course creators and managers) -- Mapping idP: username -- Data mapping: (with this fields moodle will skip user profile fill as this three are the only required) - - Name: givenName - - Surname(s): sn - - Email: email -- Dual login: No - - This will redirect moodle login automatically to keycloak login. To access as local moodle admin add to url: /login/index.php?saml=off - -At keycloak side create a basic user property 'username' for this client mappers. - -## Fields returned from keycloak - -Authed! - -array(3) { - ["sn"]=> - array(1) { - [0]=> - string(5) "admin" - } - ["givenName"]=> - array(1) { - [0]=> - string(5) "admin" - } - ["Role"]=> - array(6) { - [0]=> - string(20) "manage-account-links" - [1]=> - string(12) "view-profile" - [2]=> - string(6) "admins" - [3]=> - string(14) "offline_access"https://github.com/bigbluebutton/bigbluebutton/issues/9406 - [4]=> - string(17) "uma_authorization" - [5]=> - string(14) "manage-account" - } -} -IdP: https://sso./auth/realms/poc - -Groups could be added by adding the correct mapping in keycloak moodle client? - -## SAML2 Plugin development environment - -All this have to be done as the image doesn't let html external folder mounted as volume (image doesn't use root) - -1. Start isard-apps-moodle docker with default config. Wait for moodle to be ready. -2. Enter docker and copy html to external folder: - 1. docker exec -ti isard-apps-moodle /bin/sh - 2. cd /var/www/html - 3. mkdir /var/www/moodledata/html - 4. cp -R . /var/www/moodledata/html - -Now you open two terminals: - -- docker exec -ti isard-apps-moodle /bin/sh -- docker logs isard-apps-moodle --follow - -You can edit saml2 plugin from host (/opt/isard-office/moodle/data/html/auth/saml2) and copy it to the current html folder: - -- /var/www/html/auth/saml2 $ cp -R /var/www/moodledata/html/auth/saml2/* . - -When you finish developing get the new plugin code into a zip and in the correct src folder: - -- cd ${DATA_FOLDER}/moodle/data/html/auth/ && zip -r /isard-office/docker/moodle/plugins/auth_saml2.zip saml2 - -## SAML2 Plugin src - -The modified source files are: - -- auth.php (lines 570 to 595, sync_roles call added) -- locallib.php (function sync_roles) - -Also the common plugin setup fields and lang strings: - -- settings.php (lines 314 to 333) -- lang/en/auth_saml2.php (lines 24 to 29) - - - -# NEXTCLOUD - -TODO: Does not map email nor friendlyname (display name). Also not tested to add quota field in keycloak and map it to nextcloud. - -(guide: https://janikvonrotz.ch/2020/04/21/configure-saml-authentication-for-nextcloud-with-keycloack/) - -1. Get keycloak realm RSA Certificate (not public key): https://sso./auth/admin/master/console/#/realms/poc/keys -2. Generate Nextcloud SP keys: openssl req -nodes -new -x509 -keyout private.key -out public.cert -3. Install saml plugin. Select integrated configuration at first config page. -4. Configure at: https://nextcloud./settings/admin/saml - 1. General - 1. Attribute to map de UID to.: username - 2. Optioinal display name...: anything - 2. Service Provider Data (With BEGIN/END tags!) - 1. x509: public.key (generated before) - 2. Private key: private.key (generated before) - 3. Identity Provider Data - 1. Identifier of the IdP: https://sso./auth/realms/master - 2. URL target of the IdP: https://sso./auth/realms/master/protocol/saml - 3. URL Location of the IdP SLO request: https://sso./auth/realms/poc/protocol/saml - 4. Public X.509 certificate: (The RSA Certificate from keycloak at step 1). - 4. Attribute mapping - 1. email: email - 2. user groups: Role - 5. Security Settings (check only this) - 1. Signatures and encryption offered - 1. AuthnRequest - 2. logoutRequest - 3. logoutResponse - 2. Signatures and encryption required - 1. Response - 2. Assertion [Metadata of the SP will offer this info] - -Now click at Download metadata XML and upload to Keycloak new client. - -1. Add Client - 1. Client SAML Endpoint: https://sso./auth/realms/poc -2. Mappers [[ ONLY USERNAME and ROLES WORKING. Nextcloud doesn't get email]] - 1. Name: `username` - Mapper Type: *User Property* - Property: `username` - Friendly Name: `username` - SAML Attribute Name: `username` - SAML Attribute NameFormat: *Basic* - 2. Add builtins:Name: `email` - Mapper Type: *User Property* - Property: `email` - Friendly Name: `email` - SAML Attribute Name: `email` - SAML Attribute NameFormat: *Basic* - 3. Name: `roles` - Mapper Type: *Role List* - Role attribute name: `Roles` - Friendly Name: `Roles` - SAML Attribute NameFormat: *Basic* - Single Role Attribute: *On* - -[Not needed?] -This is in left menĂº Client Scopes - -In addition the *Single Role Attribute* option needs to be enabled in a different section. Navigate to *Configure > Client scopes > role_list > Mappers > role_list* and toggle the *Single Role Attribute* to *On*. - -https://sso./auth/admin/master/console/#/realms/poc/client-scopes/4d5db543-f636-44d4-b250-c7fa902ab454/mappers/83dff066-9ecc-4785-8a56-b83373f1c9d2 - - - -https://nextcloud./login?direct=1 - -## Debug - -Edit /opt/isard-office/nextcloud/html/config/config.php - - true, - -# Big Blue Button - -TODO: - -- Audio fails with docker in iptables=false and managed by firewalld in masquerade mode. This is due to coturn that doesn't like being behind nat. -- Firewalld + BBB: As BBB will 'take' the host interface we should: - - Remove /etc/docker/daemon.json the iptables: false - - firewall-cmd --zone=public --remove-interface=docker0 --permanent - - firewall-cmd --zone=docker --add-interface=docker0 --permanent - - Now the docker applies iptables as per container. Note that we don't have control over this from now on. -- Scalelite -- Script creation of base debian with virt-install and then replicate BBBs (partially done) - -## WORDPRESS -Client Id in keycloak has to be 'php-saml' if not set at wordpress saml plugin. - -1. Install OneLogin SAML plugin -2. STATUS - 1. Enable -3. IDENTITY PROVIDER SETTINGS - 1. iDp ENTITY ID: Anything you want - 1. SSO Service Url: https://sso.digitaldemocratic.net/auth/realms/master/protocol/saml - 2. SLO Service Url: https://sso.digitaldemocratic.net/auth/realms/master/protocol/saml - 3. X.509 Certificate: Copy the Certificate (not the Public key) from the keycloak realm (https://sso.digitaldemocratic.net/auth/admin/master/console/#/realms/master/keys) without the begin/end lines in the cert. -4. OPTIONS - 1. Create user if not exists - 2. Update user data - 3. Force SAML login (To access as admin look for the url at the end of this part) - 4. Single Log Out - 5. Match Wordpress account by: username ??? -5. ATTRIBUTE MAPPING - 1. Username: username - 2. Email: email - 4. First Name: givenName - 5. Last Name: sn - 6. Role: Role -6. ROLE MAPPING - 1. Administrator: admins - 2. Editor: managers - 3. Author: coursecreators - ... - 4. Multiple role values...: true -7. CUSTOMIZE ACTIONS AND LINKS - 1. Stay in WordPress after SLO -8. ADVANCED SETTINGS - 1. Sign AuthnRequest - 2. Sign LogoutRequest - 3. Sign LogoutResponse - 4. Service Provider X.509 Certificate & Service Provider Private Key: Generate both and paste it without the begin/end lines: - openssl req -nodes -new -x509 -keyout private.key -out public.cert - -9. Download Service Provider metadata from top and add it to keycloak -10. Keycloak client mappers: - 1. Name: `username` - Mapper Type: *User Property* - Property: `username` - Friendly Name: `username` - SAML Attribute Name: `username` - SAML Attribute NameFormat: *Basic* - 2. Add builtins:Name: `email` - Mapper Type: *User Property* - Property: `email` - Friendly Name: `email` - SAML Attribute Name: `email` - SAML Attribute NameFormat: *Basic* - 3. Name: `roles` - Mapper Type: *Role List* - Role attribute name: `Roles` - Friendly Name: `Roles` - SAML Attribute NameFormat: *Basic* - Single Role Attribute: *On* - -https://wp./wp-login.php?normal \ No newline at end of file