Open Source Identity and Access Management using Keycloak

Posted By :Ankit Kumar |25th June 2019

You can eaisly add authentication to your applications and secure services with minimum fuss. No need to deal with storing users credentials or authenticating users. It's all available out of the box.I will show you how to add authentication to any web service that does not have a builtin authentication layer using keycloak IdP and keycloak proxy.

GitLab: Use Keycloak as SAML 2.0 OmniAuth Provider

This shows how you can integrate  Keycloak with SAML 2.0 as an OmniAuth Provider for your GitLab.

If you haven't heard of Keycloak yet, It's an Open Source Access and Identity Management that allows SSO, uses standard protocols like OpenID Connect(OAuth 2.0) and SAML 2.0, it also has other very interesting features available.

 

Requirements

  • Running and working Keycloak instance(s)

  • Keycloak knowledge on an intermediate level

  • Keycloak admin access (for creating a client in a realm of choice)
  • Running GitLab instanc

  • Access to the GitLab's instance configuration files.

 

In my case  Instances Url:

  1. Gitlab_Server_url:             https://ttyd.idocker.hacking-lab.com 
  2. Keycloak _Server_url:       https://auth.idocker.hacking-lab.com
 

Step 1 - Creating SAML Client in Keycloak

 

Navigate to your keycloak WebUI.

Go to the Clients page and click the Create button in the right upper corner.

 

Step 2 - Configuring SAML Client in Keycloak

 

In this step the configuration of the created Keycloak SAML client will be done. If you aren't on the client configuration page of your created SAML client yet, navigate to it now.

Settings Tab

The next screenshots contains the settings you need to set on your client.

Roles Tab

GitLab CE users are “only” able to specifically mark users as “external” in GitLab, that is what, below in the screenshot, the ttyd.idocker.hacking-lab.com:external group is for. GitLab EE users have more possibilites to restrict access,

 

Please note that the roles other than the *:external, only “work” for GitLab EE edition.

 

Go to the Roles page and click the Add Role button in the right upper corner.

 

Composite Roles: OFF

Now that you have setup roles to control the acccess to your GitLab, continue on to the Mappers tab.
 

Mappers Tab

 

Mappers, allow you to map user information to parameters in the SAML 2.0 request for GitLab. An example would be to map the given Username into the request for the GitLab.

 

Go to the Mapper page and click the Create button in the right upper corner.

 

The created mappers configuration is:

 
  • Name: name

    • Mapper Type: User Property

    • Property: Username

    • Friendly Name: Username

    • SAML Attribute Name: name

    • SAML Attribute NameFormat: Basic

  • Name: email

    • Mapper Type: User Property

    • Property: Email

    • Friendly Name: Email

    • SAML Attribute Name: email

    • SAML Attribute NameFormat: Basic

  • Name: first_name

    • Mapper Type: User Property

    • Property: FirstName

    • Friendly Name: First Name

    • SAML Attribute Name: first_name

    • SAML Attribute NameFormat: Basic

  • Name: last_name

    • Mapper Type: User Property

    • Property: LastName

    • Friendly Name: Last Name

    • SAML Attribute Name: name

    • SAML Attribute NameFormat: Basic

  • Name: roles

    • Mapper Type: Role list

    • Role attribute name: roles

    • Friendly Name: Roles

    • SAML Attribute NameFormat: Basic

    • Single Role Attribute: On

 

Scope Tab

 

This option needs to be set to On for GitLab, as there seem to issues with it getting the roles because of “missing” scopes requested.

 
 

Certificate

 

Now, to ensure the authenticity of the Identity provider GitLab needs to know about keycloak's certificate. 
You'll find it in Realm Settings -> Keys. You should find a row with Type RSA. Click on the “Certificate” in the most right column and
you'll get the public key which you will need for the SAML configuration in /etc/gitlab/gitlab.rb which should now look similar to this:

 

 

Step 3 - Configure GitLab

 

This needs to be done in the  config file of your GitLab instance.

vim /etc/gitlab/gitlab.rb

 

 

docker-compose exec YourServiceName bash

vim /etc/gitlab/gitlab.rb

 

Adding the SAML OmniAuth Provider configuration

The GitLab config snippet below contains the settings that control the SAML OmniAuth Provider.
As before, don't forget to replace your GitLab hostname. Additionally replace YOUR_KEYCLOAK_IDP_CERT and  the actual address to your Keycloak
instance.

gitlab_rails['omniauth_enabled'] = true

gitlab_rails['omniauth_block_auto_created_users'] = false

gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']

gitlab_rails['omniauth_sync_email_from_provider'] = 'saml'

gitlab_rails['omniauth_sync_profile_from_provider'] = ['saml']

gitlab_rails['omniauth_sync_profile_attributes'] = ['email']

gitlab_rails['omniauth_auto_sign_in_with_provider'] = ''

gitlab_rails['omniauth_auto_link_ldap_user'] = false

gitlab_rails['omniauth_auto_link_saml_user'] = true

gitlab_rails['omniauth_providers'] = [

   

     "name" => "saml",

         "label" => "GitLab SAML Keycloak",

         "groups_attribute" => "roles",

     "external_groups" => ["ttyd.idocker.hacking-lab.com:external"],

     "args" => {

           "assertion_consumer_service_url" => 'https://ttyd.idocker.hacking-lab.com/users/auth/saml/callback',

       "idp_cert" => 'MIICmzCCAYMCBgFrMIo+WTANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZtYXN0ZXIwHhcNMTkwNjA3MDYwMzE0WhcNMjkwNjA3MDYwNDU0WjARMQ8wDQYDVQQDDAZtYXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCmHc1M4+vNVRUlSwSB9fZ+SvXUaNUpgnF4z2tLZGeuD+ph06PDhRytGXpDRlYnyzAnNZq1/2lfzzAj3zfAivf1o3J7VlPdOsPiq181C6drhuvFXBebLyoJK8NfIh3SsdBCrSK8pGiJK3Jf9V9QMKOTfo2lMwDgVqjG9jmaKikCt5b+fGsHSAhVDSQEDqUniZOIJVcQ1ZFncQ1Lld6Fr/Ny5IWB/G0xAh8XJtQRQ3kJF6vEdayGY/8iHjo00Y9MN3/SRkuNn+KSYu3KouvKmTzxBKTkgjFL/obri3EoMhxHsgouz3RKr2Qe5vCm1xkUfS2Qa8NtIlCKpJZf3q7aPC59AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAII6ypUF8fhpdNHrpSfihkVlKbTedICPuRm4vCx/ukNb2DCHtrPSrJ+FYd67OCfebvHgnl/l6WTZdC4qqKQbFtb6v3ixCz8vxAWJxoUxVHhsai9JFCA+uLOXn21x3qb+ZP+NFNesFT6hM6W56quSAlsRI1sk+3Loa8RvzDYrZMifn2W/aYU7GgAayu1o2rB5uQ1FmW8V+dijjzerDqr94M9nVjTtgwe88mETdQ09cW8T6tQH2EUjqd+SuXYozDfOHTFume0CWGQWDm2vki46eTalkhBiyXWvhtLcdQ8/6VLiaKQ9EH7gyzcZlj97FJpuuFEdLp5dTiKAEhhoEPdwMFY=',

       "idp_sso_target_url"=> 'https://auth.idocker.hacking-lab.com/auth/realms/master/protocol/saml/clients/ttyd.idocker.hacking-lab.com',

       "issuer"=> 'ttyd.idocker.hacking-lab.com',

       "name_identifier_format"=> 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',

       "attribute_statements"=> { "first_name" => ['first_name'],"last_name" => ['last_name'],"name" => ['name'],"username"=> ['name'],"email" => ['email'] }

           

   

 


 

Enable User Self Registration In Keycloak Admin Console.

Please turn-on self-registration on the Master Realm Settings tab.

 

Step 4 - Test Login

 

Gitlab url: https://ttyd.idocker.hacking-lab.com  

 

Logout of your GitLab and you should land on the normal GitLab login page. Just try to login again to GitLab using the button 

Sign in with Gitlab SAML Keycloak

 

 

 

Click on Register user to create a new user

Once the user is registered you can also manage it from the Keycloak Admin Console:

 

 

 

 

Congratulations! You've successfully Integrated Gitlab  with Keycloak

 

About Author

Ankit Kumar

RedHat certified in System Administration as well as Ansible Automation. A self-motivated professional with excellent research skill, enthusiasm to learn new things and always try to do his best

Request For Proposal

[contact-form-7 404 "Not Found"]

Ready to innovate ? Let's get in touch

Chat With Us