-
Notifications
You must be signed in to change notification settings - Fork 2
Keycloak
Keycloak is used as the main identoity provider for this project.
So it does not do SSO itself, as it is the identity provider (Idp) and not the application, aka service provider (SP).
A fresh Keycloak installation allows the first user to set its admin userid and password. Since it does this in the localhost interface only, and we deploy on servers where we can not access the localhost interface remotely, and we do not like to install a graphic environment with browser on the server we use a different method.
When started for the first time it is possible to set userid and password on the command line (and with environment variables, if you like).
This is the way we provision the Keycloak server with admin id and password.
You will need this password every time you want to manage users or create realms in Keycloak.
It would be a smart idea to read up a bit about how this SSO stuff actually works.
Also, the browser extension "saml-tracer" has proven to be extremely valuable at some times.
- The default 'Red Hat Directory Server' sync setup has an error. Not all default synced attributes are correct. The firstname attribute of the user should be 'givenName'. In KeyCloak: go to User Federation and select your LDAP provider. Locate at the top the "Mappers" tab. Edit the mapper for 'first name´. Change the value of the field 'LDAP Attribute' from 'cn' to 'givenName'. Sync the users again and notice that first name field is now correct.