Table des matières du support de cours KeyCloak - Redhat SSO core

1. Training Keycloak – Redhat SSO core
Décembre 2018

2. Table des matières
1 History............................................................................................................................................12
2 Prerequisites...................................................................................................................................13
2.1 Presentation.............................................................................................................................13
2.2 Cloning Rh-SSO quickstart examples....................................................................................13
2.3 Cloning Keycloak examples...................................................................................................14
2.3.1 Clone Project...................................................................................................................14
2.3.2 Compiling keycloak........................................................................................................14
3 Starting with RH-SSO....................................................................................................................15
3.1 Overview.................................................................................................................................15
3.2 Prerequisite.............................................................................................................................15
3.3 Installing RH-SSO from zip file.............................................................................................15
3.3.1 Installation command......................................................................................................16
3.4 RH-SSO Layout......................................................................................................................16
3.5 Starting RH-SSO.....................................................................................................................16
3.6 Admin Account creation.........................................................................................................22
3.7 Realms....................................................................................................................................24
3.7.1 Creating a new realm......................................................................................................24
3.7.2 Create user1 in demo realm.............................................................................................27
3.8 Installing JBoss EAP 7 server's...............................................................................................31
3.9 Starting Jboss EAP Server......................................................................................................31
3.10 Installing RH-SSO Jboss Adapter.........................................................................................34
3.11 Building and cloning RH-SSO sample.................................................................................35
3.12 Basic application login..........................................................................................................37
3.13 Registering the vanilla application with RH-SSO................................................................38
3.14 Displaying Keycloak Vanilla client information...................................................................39
3.15 Updating vanilla application configuration to connect to RH-SSO.....................................40
3.16 Test of application.................................................................................................................41
3.17 pointers..................................................................................................................................43
4 Using RH-SSO with client applications.........................................................................................44
4.1 Overview.................................................................................................................................44
4.2 Demo Template Example........................................................................................................44
4.3 realm demo preparation..........................................................................................................45
4.3.1 Creating realm demo.......................................................................................................46
4.3.2 Creating demo Roles.......................................................................................................47
4.3.3 Default Role....................................................................................................................48
4.3.4 Adding a user to the demo realm....................................................................................49
4.4 Adding Customer portal application.......................................................................................52
4.4.1 Creating customer client application...............................................................................52
4.4.2 Inside Add Client window...............................................................................................53
4.4.3 Customer-portal Client....................................................................................................54
4.4.4 Client Credentials............................................................................................................54
4.4.5 Customer-portal JSON file format..................................................................................55
4.4.6 Compiling customer-portal webapp................................................................................56
Preparing customer-app directory........................................................................................56
Adding keycloak.json file.....................................................................................................56
Sources Modifications..........................................................................................................57
Compiling customer and deploying customer-app...............................................................57

3. 4.4.7 Logging to customer-portal app......................................................................................59
4.5 Adding Product Portal.............................................................................................................60
Registering Product Portal....................................................................................................60
Using JWKS URI for authentication....................................................................................62
Keycloak.json file.................................................................................................................63
JKS keystore (Information)..................................................................................................64
4.5.1 Sources Modifications.....................................................................................................67
4.5.2 Compiling product portal app.........................................................................................68
4.5.3 Connecting to product portal app....................................................................................69
4.6 Database service.....................................................................................................................71
4.6.1 Adding database service client application.....................................................................72
4.6.2 Configuring Bearer only authentication scheme.............................................................72
4.6.3 keycloak Json file for Database Services........................................................................73
4.6.4 Compiling and deploying database service.....................................................................74
4.6.5 Testing customer display with database services............................................................76
4.7 Common Mistake....................................................................................................................77
4.8 Pointers...................................................................................................................................78
5 Understanding Oauth2 and OpenID...............................................................................................79
5.1 Oauth2 Presentation................................................................................................................79
5.2 Oauth2 Elements.....................................................................................................................79
5.2.1 Oauth Roles.....................................................................................................................79
5.2.2 Tokens.............................................................................................................................80
5.2.3 Scopes:............................................................................................................................80
5.2.4 Oauth2 Flows..................................................................................................................80
5.2.5 Security...........................................................................................................................81
5.3 Client Registration..................................................................................................................81
5.4 Authorization Code Grant.......................................................................................................81
5.5 Implicit Flow...........................................................................................................................85
5.6 Resource Owner Password Credentials(Ropc).......................................................................87
6 Understanding OpenID Connect (OIDC).......................................................................................90
6.1 Overview.................................................................................................................................90
6.2 OpenID sequence flow............................................................................................................91
6.3 OpenID flows..........................................................................................................................91
6.4 Authorization Code flow.........................................................................................................92
6.5 Implicit Flow...........................................................................................................................98
6.6 ID token analysis....................................................................................................................99
7 Debugging and analysing a RH-SSO example.............................................................................102
7.1 Overview...............................................................................................................................102
7.2 RH-SSO quickstart app-jsp example....................................................................................102
7.2.1 Prerequisites:.................................................................................................................102
7.2.2 app-jsp application creation.........................................................................................102
7.2.3 Client configuration......................................................................................................103
7.2.4 Client Credentials..........................................................................................................104
7.2.5 app-jsp json configuration export.................................................................................104
7.2.6 Deploying the app-jsp application................................................................................105
7.3 Creating a user......................................................................................................................106
7.3.1 Json file import..............................................................................................................106
7.3.2 Using the admin console...............................................................................................108
7.3.3 Create Roles and User...................................................................................................108

4. 7.4 Login to the app....................................................................................................................108
7.5 Checking Request Headers and Response Headers of the /authenticate endpoint request...111
7.6 Using jwt.io debugger...........................................................................................................112
7.7 Checking Cookie within Chrome..........................................................................................114
7.7.1 Accessing to the Chrome cookie...................................................................................115
7.7.2 Accessing to the Firefox Cookie..................................................................................115
8 Using REST API with RH-SSO...................................................................................................117
8.1 Presentation...........................................................................................................................117
8.2 App-js application.................................................................................................................117
8.3 Realm endpoints - .well-known/openid-configuration.........................................................117
8.3.1 RH-SSO endpoint URLs...............................................................................................117
8.3.2 Using .well-known/openid-configuration......................................................................118
8.4 admin-cli Client application..................................................................................................121
8.4.1 Getting an admin Bearer token with the admin CLI.....................................................121
8.4.2 Using admin Bearer Token in Rest API query..............................................................125
Get the top-level representation of the realm..........................................................................125
8.4.3 Using another admin user with admin-cli.....................................................................130
8.4.4 Listing the number of sessions present on a realm.......................................................131
8.5 Using kcadm.........................................................................................................................135
8.5.1 .keycloak registry..........................................................................................................135
8.5.2 Using kcadm.................................................................................................................136
8.5.3 Security measure with kcadm.......................................................................................136
8.6 Usage of REST API with realm endpoints...........................................................................137
8.6.1 App-jsp information......................................................................................................137
8.6.2 Performing a ROPC query to the /token endpoint........................................................137
8.6.3 Using the userinfo and introspect endpoints.................................................................139
8.7 Using Refresh Token using ropc...........................................................................................144
8.7.1 Ropc query to generate access and refresh tokens........................................................144
8.7.2 Performing the query using the refresh token...............................................................146
8.8 Using mod_auth_openidc.....................................................................................................149
8.8.1 Presentation...................................................................................................................149
8.8.2 Putting mod_auth_openidc in place..............................................................................149
8.8.3 Enabling mod_auth_openidc module with apache2.....................................................149
8.8.4 Configuring RH-SSO Server for mod_auth_openidc...................................................150
8.8.5 Configuration of the realm external login – SSL set to none.......................................151
8.8.6 Configuration of mod_auth_openidc module...............................................................152
8.8.7 Testing module mod_auth_openidc..............................................................................154
9 Using OpenID protocol to connect to an IDP provider................................................................156
9.1 Presentation...........................................................................................................................156
9.2 FranceConnect......................................................................................................................156
9.2.1 Register with FranceConnect........................................................................................156
9.2.2 Information display.......................................................................................................161
9.3 France Connect Endpoints....................................................................................................161
9.4 Dummy test user IDP creation..............................................................................................161
9.5 RH-SSO configuration + IDP post configuration.................................................................163
9.5.1 Create of an identity provider.......................................................................................163
9.6 Configuring RH-SSO identity provider................................................................................164
9.7 Adding identity provider mappers........................................................................................166
9.8 Post Configuration task of IDP configuration......................................................................167

5. 9.9 Tests......................................................................................................................................169
9.9.1 Application Test.............................................................................................................169
9.10 Account Linking.................................................................................................................172
10 SAML V2 Presentation...............................................................................................................174
10.1 What is SAML ?.................................................................................................................174
10.2 SAML References...............................................................................................................174
10.3 SAML 2.0 in short..............................................................................................................174
10.3.1 SAML V2 features......................................................................................................174
10.3.2 Major Key elements....................................................................................................175
10.4 SAML Components............................................................................................................177
10.5 SAML elements (used by RH-SSO)...................................................................................179
10.5.1 SP Element..................................................................................................................179
10.5.2 SP Keys and Key elements..........................................................................................180
10.5.3 KeyStore element........................................................................................................180
10.5.4 Key PEMS...................................................................................................................181
10.5.5 SP PrincipalNameMapping element...........................................................................181
10.5.6 RoleIdentifiers element..............................................................................................181
10.5.7 IDP Element...............................................................................................................182
10.5.8 IDP SingleSignOnService sub element.......................................................................182
10.5.9 IDP SingleLogoutService sub element.......................................................................183
10.5.10 IDP Keys subelement...............................................................................................184
10.6 XML SAML Examples.......................................................................................................184
10.6.1 Post Request example.................................................................................................184
10.6.2 Response Extract.........................................................................................................185
11 SAML broker example with with RH-SSO................................................................................186
11.1 Presentation.........................................................................................................................186
11.2 RH-SSO consideration........................................................................................................186
11.3 Preparing RH-SSO – adding SAML adapter......................................................................186
11.4 Adding SAML tracer to Firefox..........................................................................................188
11.5 Launching RH-SSO............................................................................................................189
11.6 Compiling and deploying the example...............................................................................189
11.7 Creating both realms in RH-SSO........................................................................................189
11.8 Understanding the SAML broker applications...................................................................190
11.8.1 Saml Broker realm......................................................................................................190
11.8.2 saml-broker-authentication-realm...............................................................................193
11.9 CORS enabled.....................................................................................................................196
11.10 SAML Scenario in action..................................................................................................196
11.11 Adding attribute mapper on the identity provider.............................................................198
11.12 Checking details of a built-in member (givenName)........................................................199
11.13 Debugging SAML exchange............................................................................................200
11.13.1 Using Firefox plugin add on......................................................................................200
11.13.2 Analyzing content of a response with SAML tracer.................................................201
11.14 Adding SAML attributes to the SP..................................................................................202
11.15 Complete Scenario...........................................................................................................204
11.16 User in Saml-authentication-realm...................................................................................204
12 SAML Integration with an external IDP (OKTA)......................................................................206
12.1 Overview.............................................................................................................................206
12.2 Configuring Okta as an IDP................................................................................................206
12.2.1 Create an OKTA account............................................................................................206

6. 12.2.2 Configuring OKTA IDP..............................................................................................210
12.2.3 Prepare Data for the SP...............................................................................................215
12.2.4 Adjusting SAML Setting if necessary.........................................................................216
12.2.5 Registering a user with OKTA....................................................................................217
12.3 Configuring RH-SSO as a service provider........................................................................219
12.3.1 Creating saml_okta_idp..............................................................................................219
12.3.2 Adding Attribute mapper.............................................................................................220
12.4 Using Federation.................................................................................................................222
12.4.1 Check users.................................................................................................................222
12.4.2 Log to SP client application........................................................................................222
12.4.3 Checking Users...........................................................................................................224
12.4.4 Account Linking..........................................................................................................225
13 Understanding Authorization Services with Redhat SSO..........................................................226
13.1 Presentation.........................................................................................................................226
13.2 Key Concepts of RH-SSO Authorization service...............................................................227
13.3 Components of an Authorization Service...........................................................................227
13.4 Resources............................................................................................................................227
13.5 Authorization Scopes..........................................................................................................228
13.6 Policies................................................................................................................................228
13.6.1 Role Policy..................................................................................................................229
13.6.2 JavaScript Role..........................................................................................................229
13.7 photoz-restful-api Authorization Policies...........................................................................229
13.8 Permission...........................................................................................................................230
13.8.1 Resource – policy permission match...........................................................................230
13.8.2 Scope – policy permission match................................................................................230
13.9 Putting it all together – Tailoring authorization Service to your architecture needs..........231
13.10 Pointers.............................................................................................................................231
14 Using a simple RH-SSO Authorization example.......................................................................232
14.1 Securing a Servlet Application...........................................................................................232
14.2 Creating a Realm and a User..............................................................................................232
2.3. Enabling Authorization Services..........................................................................................234
14.3 Build, Deploy, and Test Your Application..........................................................................237
14.3.1 Obtaining the Adapter Configuration..........................................................................237
14.4 Building and Deploying the Application............................................................................240
14.4.1 Testing the Application..............................................................................................240
15 Authorization access using Role based users.............................................................................242
15.1 Overview.............................................................................................................................242
15.2 Using the keycloak authz example.....................................................................................242
15.2.1 Source location............................................................................................................242
15.2.2 adapting example sources to RH-SSO infrastructure..................................................242
15.3 Installing servlet_authz-example in RH-SSO server's........................................................243
15.3.1 Realm creation............................................................................................................243
15.3.2 Importing Authorization..............................................................................................243
15.3.3 Adapting RH-SSO clients Urls...................................................................................244
15.4 Compiling and deploying servlet-authz sources.................................................................247
15.5 Authorization example test.................................................................................................247
15.5.1 Logging with restricted privileges..............................................................................247
15.5.2 Using Premium Users................................................................................................249
15.6 Detailed authorization scheme analysis..............................................................................251

7. 15.6.1 Resources....................................................................................................................251
15.6.2 Scopes.........................................................................................................................252
15.6.3 Policies........................................................................................................................253
15.6.4 Permission...................................................................................................................254
Resource based permission................................................................................................254
scope permission policies...................................................................................................255
16 Fine Grain Authorization – UMA policy....................................................................................257
16.1 Presentation.........................................................................................................................257
16.2 UMAAuthorisation Service documentation.......................................................................257
16.3 About the Example Application..........................................................................................257
16.4 Building the keycloak/auth/photoz example.......................................................................258
16.4.1 Creating the photoz-realm..........................................................................................258
16.4.2 Build examples............................................................................................................259
16.4.3 Import Photoz server resource permission..................................................................259
16.5 Deploy and Run the Example Applications........................................................................259
16.5.1 Example (being logged Alice).....................................................................................260
16.5.2 Example (being logged Admin)..................................................................................260
16.5.3 Misc about the examples.............................................................................................261
17 RH-SSO LDAP integration........................................................................................................263
17.1 Presentation.........................................................................................................................263
17.2 Pointers...............................................................................................................................263
17.3 Keycloak LDAP example...................................................................................................263
17.3.1 Overview.....................................................................................................................263
17.3.2 Building and deploying demo LDAP application.......................................................264
17.4 Examining the LDAP example using Jexplorer.................................................................264
17.4.1 Connecting with Jexplorer to the LDAP instance.......................................................264
17.4.2 Displaying Roles at LDAP level.................................................................................266
17.5 Creating ldap-portal realm (manual creation).....................................................................267
17.5.1 Ldap-test realm creation..............................................................................................267
17.5.2 Adding LDAP Provider to the ldap-test realm............................................................268
17.5.3 Configuring LDAP Provider.......................................................................................268
17.5.4 RH-SSO LDAP synchronization policy......................................................................270
17.5.5 Mappers.......................................................................................................................271
.....................................................................................................................................................273
17.6 Ldap-demo realm (Json import).........................................................................................273
17.7 Building and Deploying ldap-portal webapp......................................................................274
17.7.1 Modifications..............................................................................................................274
17.7.2 Changes to be done.....................................................................................................274
17.8 Logging to RH-SSO............................................................................................................274
17.8.1 RH-SSO ldap-demo login page...................................................................................274
17.8.2 Logging to the ldap demo webapp..............................................................................275
18 Relation Database Setup.............................................................................................................277
18.1 Presentation.........................................................................................................................277
18.2 Postgresql DB installation and preparation.......................................................................277
18.2.1 Installing PostgreSQL (Ubuntu)..................................................................................277
18.2.2 Installing PostgreSQL (RedHat Linux).......................................................................277
18.2.3 Change postgresql password.......................................................................................278
18.2.4 pg_hba.conf update.....................................................................................................278
18.2.5 Authentication test......................................................................................................279

8. 18.3 Creating the keycloak DB...................................................................................................279
18.4 PostgreSql RDBMS with RH-SSO.....................................................................................279
18.4.1 PostgreSql driver download........................................................................................279
18.4.2 PostgreSql driver installation......................................................................................279
18.4.3 Module.xml file...........................................................................................................280
18.4.4 JDBC driver update.....................................................................................................281
18.4.5 Driver section update..................................................................................................281
18.4.6 Datasource section update...........................................................................................281
18.5 Testing the whole................................................................................................................282
19 Importing/Exporting Keycloak configuration............................................................................288
19.1 Presentation.........................................................................................................................288
19.2 Import/export commands....................................................................................................288
19.2.1 Exporting to a single file.............................................................................................288
19.2.2 Exporting to a directory..............................................................................................288
19.2.3 Imports........................................................................................................................288
19.3 Options................................................................................................................................289
20 RH-SSO Security........................................................................................................................290
20.1 Security Best Practices........................................................................................................290
20.2 Defining Keystore...............................................................................................................290
20.2.1 PKI – Self Cert – CAAuthorithy................................................................................290
20.3 SSL - Keystore (InBound Request)...................................................................................291
20.3.1 Generating self cert.....................................................................................................291
20.3.2 Customizing standalone.xml with ssl..........................................................................291
20.4 Checking RH-SSO HTTPS connection..............................................................................292
20.4.1 Starting RH-SSO Server.............................................................................................292
20.4.2 Checking SSL connection using openssl....................................................................292
20.4.3 Checking HTTPS connection......................................................................................294
20.5 TrustStore (OUtbound Request).........................................................................................297
20.6 Differences between when using self signed and signed certificates.................................298
21 RH-SSO Networking..................................................................................................................299
21.1 RH-SSO Port presentation – standalone.xml (standalone-ha.xml).....................................299
21.2 Usage of each port..............................................................................................................300
21.3 Disabling http and AJP for RH-SSO...................................................................................300
21.4 RH-SSO Multicast Groups.................................................................................................301
21.5 RH-SSO multicast Group with clustering..........................................................................302
21.5.1 Jgroups - multicast......................................................................................................302
21.5.2 ModCluster - multicast................................................................................................302
22 RH-SSO Clustering Operating Modes.......................................................................................303
22.1 Presentation.........................................................................................................................303
22.2 Standalone cluster mode.....................................................................................................303
22.2.1 Standalone clustered mode layout...............................................................................303
22.3 Getting useful values of standalone-ha.xml........................................................................304
22.3.1 Starting a standalone cluster node...............................................................................305
22.3.2 Implication when using clustering mode standalone-ha.xml......................................305
22.4 domain clustered.................................................................................................................306
22.4.1 Domain cluster layout.................................................................................................306
22.4.2 Master Node................................................................................................................307
22.4.3 slave node....................................................................................................................307
22.5 Clustered Domain Example................................................................................................308

9. 22.5.1 Configuring the slave secret key.................................................................................308
22.6 Creating an admin master user............................................................................................310
22.6.1 Adding an admin user using add-user-keycloak.sh.....................................................310
22.6.2 Adding keycloak-add-user.json to master server.........................................................311
22.7 Starting Servers...................................................................................................................311
22.7.1 Starting the master......................................................................................................312
22.7.2 Starting the slave.........................................................................................................312
22.8 Add app_vanilla profile client application to the clustered................................................312
22.9 Limitation of the domain cluster example..........................................................................312
23 Using modcluster with Standalone HA cluster deployment.......................................................313
23.1 Presentation.........................................................................................................................313
23.2 ModCluster – Apache SW load Balancer...........................................................................313
23.2.1 Presentation.................................................................................................................313
23.2.2 Mod_cluster and multicast group................................................................................313
23.2.3 Mod_cluster with RH-SSO.........................................................................................313
23.3 Clustering standalone HA example.....................................................................................315
23.3.1 Presentation.................................................................................................................315
23.3.2 Limitation....................................................................................................................315
23.3.3 Setting >RH-SSO requires SSL to none.....................................................................315
23.3.4 Mod_Cluster configuration.........................................................................................316
23.3.5 Commands used..........................................................................................................318
23.3.6 Testing Modcluster......................................................................................................318
23.4 Testing application failover.................................................................................................319
24 SPI testing integration – High available environment................................................................322
24.1 Overview.............................................................................................................................322
24.2 Event SPI............................................................................................................................322
24.2.1 Deploying the Jar file..................................................................................................322
24.2.2 Registering the SPI in standalone-ha.xml...................................................................322
24.3 SPI various use cases..........................................................................................................323
24.3.1 Use case 1 – Both nodes are UP..................................................................................323
24.3.2 Use case 2 – Node1 brought Down.............................................................................324
24.4 SPI interaction with keycloak in clustering mode..............................................................324
25 RH-SSO Clustering best practices - Recommendation..............................................................325