kundk
February 27, 2024 ยท View on GitHub
This is a ready solution for employing Keycloak with FIDO2/WebAuthn and OIDC (or SAML). Demos are included.
Demos
| relying party (RP) | 2FA | 1FA |
|---|---|---|
Apache (mod_auth_openidc) | demo #1 | demo #2 |
Apache (mod_shib) | demo #3 | demo #4 |
| VMware vSphere | n/a | demo #6 |
Configuration
Build-time variables
ARG | example | description |
|---|---|---|
KEYCLOAK_DB | postgres | RDB for Keycloak |
KEYCLOAK_RELEASEVER | 9 | release version of RHEL for Keycloak container |
KEYCLOAK_VERSION | latest | Keycloak version |
Environment variables
kund supports multiple tenants, e.g. both demos and production use cases.
Their common configuration resides in environment variables.
ENV | example | |
|---|---|---|
APP_IDS | 1 2 3 4 6 | |
KEYCLOAK_DB_URL | jdbc:postgres://localhost/keycloak | |
KEYCLOAK_DB_USERNAME | keycloak | |
KEYCLOAK_EMAIL | me@mydomain.com | |
KEYCLOAK_PORT | 1. | 8444 |
REALM_IDS | 1 2 3 4 6 | |
SMTP_SERVER | mail.mydomain.com |
- optional; default is
8444
The following environment variables are only required to support the demos.
| env | example | |
|---|---|---|
APACHE_EMAIL | me@mydomain.com | |
APACHE_LOG_LEVEL | 1. | debug |
KEYCLOAK_LOG_LEVEL | 1. | debug |
KEYCLOAK_OIDC_REMOTE_USER_CLAIM | given_name ^(.+?)(?:\s.+)?$ \$1 | |
| LDAP_PORT | 3893 | |
| VSPHERE_DOMAIN | 2. | mydomain.com |
| VSPHERE_SERVER | 2. | https://vsphere.mydomain.com |
- optional; default is
info - only required for demo #6
Secrets
| secret | keys | |
|---|---|---|
keycloak-admin-password | password | 1. |
keycloak-db-password | password |
- password for user
adminon Keycloak Administration Console
Factory keys
| key | description |
|---|---|
client_id | see ClientRepresentation.id |
display_name | see RealmRepresentation.displayName |
flow | see AuthenticationFlowRepresentation.alias (kundk-1fa or kundk-2fa) |
ldap_attribute_first_name | |
ldap_auth_type | see UserFederationProviderRepresentation.config.authType (for LDAP) |
ldap_bind_credential | |
ldap_bind_dn | see UserFederationProviderRepresentation.config.ldapBind (for LDAP) |
ldap_connection_url | see UserFederationProviderRepresentation.config.connectionUrl (for LDAP) |
ldap_rdn_ldap_attribute | |
ldap_username_ldap_attribute | |
ldap_users_dn | see UserFederationProviderRepresentation.config.userDn (for LDAP) |
ldap_user_object_class | |
ldap_uuid_ldap_attribute | see UserFederationProviderRepresentation.config.uuidLDAPAttribute |
post_logout_redirect_uri | see ClientRepresentation.attributes."post.logout.redirect.uris" (for OIDC) |
protocol | see ClientRepresentation.protocol |
realm | see RealmRepresentation.realm |
redirect_uri | ClientRepresentation.redirectUris (for OIDC) |
saml_assertion_consumer_url_redirect | |
saml_single_logout_service_url_redirect | |
vsphere_domain | AD domain |