# KEYCLOAK

## Create sample users

1. https://sso.<domain>

# Moodle

1. Activate SAML2 plugin
2. Regenerate SP certificate: https://moodle.<domain>/auth/saml2/regenerate.php and lock it down
3. Download SAML2 Service Provider xml: https://moodle.<domain>/auth/saml2/sp/metadata.php
4. Import this SP in keycloak IDP: https://sso.<domain>/auth/admin/master/console/#/create/client/poc
5. Add builtin email, givenname and surname field mappers (https://sso.<domain>/auth/admin/master/console/#/realms/poc/clients/b7781aac-5aa5-441a-8af5-aca7cc0a1daf/mappers)
6. Copy keycloak SAML IDP xml data (https://sso.<domain>/auth/realms/poc/protocol/saml/descriptor) to moodle (IdP metadata xml OR public xml URL: https://moodle.<domain>/admin/settings.php?section=authsettingsaml2). Note that you should copy it from a text editor, not the content from the browser view!

## Configuration

- Auto create users: Yes
- Role Mapping: Configure the same roles you created in keycloak for users (administratos, course creators and managers)
- Mapping idP: username
- Data mapping: (with this fields moodle will skip user profile fill as this three are the only required)
  - Name: givenName
  - Surname(s): sn
  - Email: email
- Dual login: No 
  - This will redirect moodle login automatically to keycloak login. To access as local moodle admin add to url: /login/index.php?saml=off

At keycloak side create a basic user property 'username' for this client mappers.

## Fields returned from keycloak

Authed!

array(3) {
  ["sn"]=>
  array(1) {
    [0]=>
    string(5) "admin"
  }
  ["givenName"]=>
  array(1) {
    [0]=>
    string(5) "admin"
  }
  ["Role"]=>
  array(6) {
    [0]=>
    string(20) "manage-account-links"
    [1]=>
    string(12) "view-profile"
    [2]=>
    string(6) "admins"
    [3]=>
    string(14) "offline_access"https://github.com/bigbluebutton/bigbluebutton/issues/9406
    [4]=>
    string(17) "uma_authorization"
    [5]=>
    string(14) "manage-account"
  }
}
IdP: https://sso.<domain>/auth/realms/poc

Groups could be added by adding the correct mapping in keycloak moodle client?

## SAML2 Plugin development environment

All this have to be done as the image doesn't let html external folder mounted as volume (image doesn't use root)

1. Start isard-apps-moodle docker with default config. Wait for moodle to be ready.
2. Enter docker and copy html to external folder:
   1. docker exec -ti isard-apps-moodle /bin/sh
   2. cd /var/www/html
   3. mkdir /var/www/moodledata/html
   4. cp -R . /var/www/moodledata/html

Now you open two terminals:

- docker exec -ti isard-apps-moodle /bin/sh
- docker logs isard-apps-moodle --follow

You can edit saml2 plugin from host (/opt/isard-office/moodle/data/html/auth/saml2) and copy it to the current html folder:

- /var/www/html/auth/saml2 $ cp -R /var/www/moodledata/html/auth/saml2/* .

When you finish developing get the new plugin code into a zip and in the correct src folder:

- cd ${DATA_FOLDER}/moodle/data/html/auth/ && zip -r <src git path>/isard-office/docker/moodle/plugins/auth_saml2.zip saml2

## SAML2 Plugin src

The modified source files are:

- auth.php (lines 570 to 595, sync_roles call added)
- locallib.php (function sync_roles)

Also the common plugin setup fields and lang strings:

- settings.php (lines 314 to 333)
- lang/en/auth_saml2.php (lines 24 to 29)



# NEXTCLOUD

TODO: Does not map email nor friendlyname (display name). Also not tested to add quota field in keycloak and map it to nextcloud.

(guide: https://janikvonrotz.ch/2020/04/21/configure-saml-authentication-for-nextcloud-with-keycloack/)

1. Get keycloak realm RSA Certificate (not public key): https://sso.<domain>/auth/admin/master/console/#/realms/poc/keys
2. Generate Nextcloud SP keys: openssl req  -nodes -new -x509  -keyout private.key -out public.cert
3. Install saml plugin. Select integrated configuration at first config page.
4. Configure at: https://nextcloud.<domain>/settings/admin/saml
   1. General
      1. Attribute to map de UID to.: username
      2. Optioinal display name...: anything
   2. Service Provider Data (With BEGIN/END tags!)
      1. x509: public.key (generated before)
      2. Private key: private.key (generated before)
   3. Identity Provider Data
      1. Identifier of the IdP: https://sso.<domain>/auth/realms/master
      2. URL target of the IdP: https://sso.<domain>/auth/realms/master/protocol/saml
      3. URL Location of the IdP SLO request: https://sso.<domain>/auth/realms/poc/protocol/saml
      4. Public X.509 certificate: (The RSA Certificate from keycloak at step 1). 
   4. Attribute mapping
      1. email: email
      2. user groups: Role
   5. Security Settings (check only this)
      1. Signatures and encryption offered
         1. AuthnRequest
         2. logoutRequest
         3. logoutResponse
      2. Signatures and encryption required
         1. Response
         2. Assertion [Metadata of the SP will offer this info]

Now click at Download metadata XML and upload to Keycloak new client.

1. Add Client
   1. Client SAML Endpoint: https://sso.<domain>/auth/realms/poc
2. Mappers  [[ ONLY USERNAME and ROLES WORKING. Nextcloud doesn't get email]]
   1. Name: `username`
         Mapper Type: *User Property*
         Property: `username`
         Friendly Name: `username`
         SAML Attribute Name: `username`
         SAML Attribute NameFormat: *Basic*
   2. Add builtins:Name: `email`
         Mapper Type: *User Property*
         Property: `email`
         Friendly Name: `email`
         SAML Attribute Name: `email`
         SAML Attribute NameFormat: *Basic*
   3. Name: `roles`
         Mapper Type: *Role List*
         Role attribute name: `Roles`
         Friendly Name: `Roles`
         SAML Attribute NameFormat: *Basic*
         Single Role Attribute: *On*

[Not needed?]
This is in left menú Client Scopes

In addition the *Single Role Attribute* option needs to be enabled in a different section. Navigate to *Configure > Client scopes > role_list > Mappers > role_list* and toggle the *Single Role Attribute* to *On*.

https://sso.<domain>/auth/admin/master/console/#/realms/poc/client-scopes/4d5db543-f636-44d4-b250-c7fa902ab454/mappers/83dff066-9ecc-4785-8a56-b83373f1c9d2



https://nextcloud.<domain>/login?direct=1

## Debug

Edit /opt/isard-office/nextcloud/html/config/config.php

<?php
$CONFIG = array (
  'debug' => true,

# Big Blue Button

TODO:

- Audio fails with docker in iptables=false and managed by firewalld in masquerade mode. This is due to coturn that doesn't like being behind nat.
- Firewalld + BBB: As  BBB will 'take' the host interface we should:
  - Remove /etc/docker/daemon.json the iptables: false
  - firewall-cmd --zone=public --remove-interface=docker0 --permanent
  - firewall-cmd --zone=docker --add-interface=docker0 --permanent
  - Now the docker applies iptables as per container. Note that we don't have control over this from now on.
- Scalelite
- Script creation of base debian with virt-install and then replicate BBBs (partially done)

## WORDPRESS
Client Id in keycloak has to be 'php-saml' if not set at wordpress saml plugin.

1. Install OneLogin SAML plugin
2. STATUS
   1. Enable
3. IDENTITY PROVIDER SETTINGS
   1. iDp ENTITY ID: Anything you want
   1. SSO Service Url: https://sso.digitaldemocratic.net/auth/realms/master/protocol/saml
   2. SLO Service Url: https://sso.digitaldemocratic.net/auth/realms/master/protocol/saml
   3. X.509 Certificate: Copy the Certificate (not the Public key) from the keycloak realm (https://sso.digitaldemocratic.net/auth/admin/master/console/#/realms/master/keys) without the begin/end lines in the cert.
4. OPTIONS
   1. Create user if not exists
   2. Update user data
   3. Force SAML login (wait till the plugin is working. We need a way to login as admin again!)
   4. Single Log Out
   5. Match Wordpress account by: username ???
5. ATTRIBUTE MAPPING
   1. Username: username
   2. Email: email
   4. First Name: givenName
   5. Last Name: sn
   6. Role: Role
6. ROLE MAPPING
   1. Administrator: admins
   2. Editor: managers
   3. Author: coursecreators
   ...
   4. Multiple role values...: true
7. CUSTOMIZE ACTIONS AND LINKS
   1. Stay in WordPress after SLO
8. ADVANCED SETTINGS
   1. Sign AuthnRequest
   2. Sign LogoutRequest
   3. Sign LogoutResponse
   4. Service Provider X.509 Certificate & Service Provider Private Key: Generate both and paste it without the begin/end lines:
         openssl req  -nodes -new -x509  -keyout private.key -out public.cert

9. Download Service Provider metadata from top and add it to keycloak
10. Keycloak client mappers:
   1. Name: `username`
         Mapper Type: *User Property*
         Property: `username`
         Friendly Name: `username`
         SAML Attribute Name: `username`
         SAML Attribute NameFormat: *Basic*
   2. Add builtins:Name: `email`
         Mapper Type: *User Property*
         Property: `email`
         Friendly Name: `email`
         SAML Attribute Name: `email`
         SAML Attribute NameFormat: *Basic*
   3. Name: `roles`
         Mapper Type: *Role List*
         Role attribute name: `Roles`
         Friendly Name: `Roles`
         SAML Attribute NameFormat: *Basic*
         Single Role Attribute: *On*

https://wp.<domain>/wp-login.php?normal