Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: initial commit of doc update #60

Merged
merged 9 commits into from
Apr 19, 2024
Merged

chore: initial commit of doc update #60

Show file tree
Hide file tree
Changes from 7 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
4b30e90
initial commit of doc update
UnicornChance Apr 18, 2024
8ca6e8f
Merge branch 'main' into idp-docs
UnicornChance Apr 18, 2024
a8596da
update realm envs
UnicornChance Apr 18, 2024
5b12e92
update docs for prefix envs
UnicornChance Apr 18, 2024
fb63488
update env names
UnicornChance Apr 19, 2024
c0e1da4
make docs a bit simpler
UnicornChance Apr 19, 2024
025f865
Merge branch 'main' into idp-docs
UnicornChance Apr 19, 2024
5f532bc
update docs
UnicornChance Apr 19, 2024
bd392c1
Merge branch 'main' into idp-docs
UnicornChance Apr 19, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions docs/CUSTOMIZE.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,8 @@ The `UDS Identity` realm is defined in the realm.json found in [src/realm.json](
> [!CAUTION]
> Be aware that changing values in the realm may also need be to updated throughout the configuration of Keycloak and Authservice in `uds-core`. For example, changing the realm name will break a few different things within Keycloak unless those values are changed in `uds-core` as well.

In addition environment variables can be configured through uds-core + bundle overrides. These environment variables will be created with a prefix `realm_`. Additional context can be found in [IDENTITY_PROVIDER.md](./IDENTITY_PROIVIDER.md#override-default-sso-values).
rjferguson21 marked this conversation as resolved.
Show resolved Hide resolved

See the [Testing custom image in UDS Core](./CUSTOMIZE.md#testing-custom-image-in-uds-core) for building, publishing, and using the new image with `uds-core`.

## Customize Truststore
Expand Down
184 changes: 184 additions & 0 deletions docs/IDENTITY_PROIVIDER.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,184 @@
# Keycloak Identity Provider

## Different Keycloak IDP Types Tested
|Name|Description|Working|
|-|-|-|
|Google Social Provider| A social provider meant specifically for google sso integration| Yes |
|OpenId Connect v1.0| A generic openid connection integration| Yes |
|keycloak openid connect| A generic openid connection tailored specifically for keycloak JWT integration| No |
|Keycloak SAML| A SAML support connection [documentation](https://cloud.google.com/architecture/identity/keycloak-single-sign-on) | Yes |

---

# Setting up GCP Project

1. In [Google Cloud Console](https://console.cloud.google.com)
1. Create a new project ( top left drop down )
1. Specifics are up to you here
2. Select that project ( might take a minute for Google to create it )
1. Configure `OAuth Consent Screen` ( found by going to the `APIs & Services` menu option )
1. Select `External`
2. Hit `Create`
3. Fill in app name, user support email ( can be changed later ), authorized domain ( uds.dev ), developer contact info
4. Hit `Save And Continue`
5. No scopes are necessary ( can be modified later )
6. No test user is necessary ( can be added later )
7. Verify and `Back to Dashboard`
2. Open `Credentials` tab
1. Click the `Create credentials` option in top nav bar
1. Select `OAuth client ID`
2. Select `Web application` type
3. Add name of client
4. Add authorized redirect URIs ( based on IDP configuration in keycloak ) Example values:
1. OpenID Connect v1.0 = https://sso.uds.dev/realms/uds/broker/{idp name}/endpoint
2. Google Social = https://sso.uds.dev/realms/uds/broker/google/endpoint
5. Hit `Save`
3. Capture the client ID and client secret for use in setting up IDP ( these can be accessed later )

---

# Configure Keycloak Google SSO

## Configure the Keycloak Realm.json for Automation

Example of using a secret for supplying the configuration values.

1. This section has been added to the realm json

```
"identityProviders": [
{
"alias": "oidc",
"displayName": "Google SSO",
"internalId": "698ce16e-b026-43d5-8c8c-7977a2659a1c",
"providerId": "oidc",
"enabled": "${REALM_GOOGLE_IDP_ENABLED}",
"updateProfileFirstLoginMode": "on",
"trustEmail": true,
"storeToken": false,
"addReadTokenRoleOnCreate": false,
"authenticateByDefault": false,
"linkOnly": false,
"config": {
"tokenUrl": "https://oauth2.googleapis.com/token",
"acceptsPromptNoneForwardFromClient": "false",
"jwksUrl": "https://www.googleapis.com/oauth2/v3/certs",
"isAccessTokenJWT": "false",
"filteredByClaim": "false",
"backchannelSupported": "false",
"issuer": "https://accounts.google.com",
"loginHint": "false",
"clientAuthMethod": "client_secret_post",
"syncMode": "IMPORT",
"clientSecret": "${REALM_GOOGLE_IDP_CLIENT_SECRET}",
"allowedClockSkew": "0",
"defaultScope": "openid profile email",
"userInfoUrl": "https://openidconnect.googleapis.com/v1/userinfo",
"validateSignature": "true",
"hideOnLoginPage": "false",
"clientId": "${REALM_GOOGLE_IDP_CLIENTID}",
"uiLocales": "false",
"disableNonce": "false",
"useJwksUrl": "true",
"sendClientIdOnLogout": "false",
"pkceEnabled": "false",
"metadataDescriptorUrl": "https://accounts.google.com/.well-known/openid-configuration",
"authorizationUrl": "https://accounts.google.com/o/oauth2/v2/auth",
"disableUserInfo": "false",
"sendIdTokenOnLogout": "true",
"passMaxAge": "false"
}
}
],
```
* note the `${REALM_GOOGLE_IDP_ENABLED}`, `${REALM_GOOGLE_IDP_CLIENT_SECRET}`, and `${REALM_GOOGLE_IDP_CLIENTID}` pieces that are provided by uds-core environment variables

2. Update `uds-core`
rjferguson21 marked this conversation as resolved.
Show resolved Hide resolved
1. `uds-core/src/keycloak/chart/templates/secret-kc-realm.yaml`

```
apiVersion: v1
kind: Secret
metadata:
name: {{ include "keycloak.fullname" . }}-realm-env
namespace: {{ .Release.Namespace }}
labels:
{{- include "keycloak.labels" . | nindent 4 }}
type: Opaque
data:
{{- range $key, $value := .Values.realmInitEnv }}
{{- if eq (typeOf $value) "bool" }}
REALM_{{ $key }}: {{ toString $value | b64enc }}
{{- else }}
REALM_{{ $key }}: {{ $value | b64enc }}
{{- end }}
{{- end }}
```

2. `uds-core/src/keycloak/chart/values.yaml`

```
# UDS Identity Config Environment Variables. More info here: https://github.com/defenseunicorns/uds-identity-config/blob/main/docs/CUSTOMIZE.md#override-default-realm
realmInitEnv:
GOOGLE_IDP_ENABLED: false
# Other UDS Identity Config fields that will be used in the realm.json initalization of keycloak
# GOOGLE_IDP_CLIENTID: ""
# GOOGLE_IDP_CLIENT_SECRET: ""
```
* This defines the default values to be used by the IDP, if left unchanged a Google SSO IDP will be created however it will not work as it is disabled and has no client details provided.

3. `uds-core/src/keycloak/chart/templates/statefulset.yaml`

```
envFrom:
- secretRef:
name: {{ include "keycloak.fullname" . }}-realm-env
```

## Override default SSO values

>[!TIP]
> Additional information about this in the [CUSTOMIZE.md](./CUSTOMIZE.md#override-default-realm)

`uds-identity-config/bundles/uds-bundle.yaml`

```
overrides:
keycloak:
keycloak:
values:
- path: realmInitEnv
value:
GOOGLE_IDP_ENABLED: true
GOOGLE_IDP_CLIENTID: <fill in value here>
GOOGLE_IDP_CLIENT_SECRET: <fill in value here>
variables:
- name: KEYCLOAK_CONFIG_IMAGE
description: "The keycloak config image to deploy plugin and initial setup configuration"
path: configImage
```

## Manually Setup Google Cloud Project with Keycloak

1. Create IDP in Keycloak, whether it's oidc or google social provider
1. For Generic OIDC:
1. Select `OpenID Connect v1.0`
2. Add Display Name ( this is what will be displayed on the signin page ): ex. `Google SSO`
3. Add discovery endpoint: `https://accounts.google.com/.well-known/openid-configuration`
4. Add client id, this is found in google cloud project from earlier in this doc.
5. Add client secret, this is found in google cloud project from earlier in this doc.
6. Hit `Add`
7. Update scopes ( under advanced drop down ): `openid profile email`
* if adding scopes, probably will need to update scopes in the google client project as well
8. Toggle `Trust Email` to true
9. Hit `Save`

2. For Social Provider:
1. Select `Google` under the social section
2. Add client id, this is found in google cloud project from earlier in this doc.
3. Add client secret, this is found in google cloud project from earlier in this doc.
4. Hit `Save`
5. Toggle `Trust Email`
6. Hit `Save`

---