跳到主内容

Keycloak

The JBoss Keycloak system is a widely used and open-source identity management system that supports integration with applications via SAML and OpenID Connect. It can also operate as an identity broker between other providers such as LDAP or other SAML providers and applications that support SAML or OpenID Connect.

Here is an example of how to configure a new client entry in Keycloak and configure Casdoor to use it to allow UI login by Keycloak users who are granted access via Keycloak configuration.

Configure Keycloak

For this example, let's make the following configuration choices and assumptions:

  • Assume that you are running Casdoor in dev mode locally. The Casdoor UI is available at http://localhost:7001 and the server is available at http://localhost:8000. Replace with the appropriate URL as needed.
  • Assume that you are running Keycloak locally. The Keycloak UI is available at http://localhost:8080/auth.
  • 在此基础上,用于此部署的SPACS URL将是: http://localhost:8000/api/acs
  • Our SP Entity ID will use the same URL: http://localhost:8000/api/acs.

You can use the default realm or create a new realm.

Add Keycloak realm

Keycloak realm

在 Keycloak 中添加客户端条目

信息

For more details about Keycloak Clients, refer to the Keycloak documentation.

在菜单中点击 客户端 然后点击 创建 去到 添加客户端 页面。 Fill in the fields as follows:

  • 客户端 ID: http://localhost:8000/api/acs - 这将是以后在 Casdoor 配置中使用的 SP 实体ID。
  • Client Protocol: saml.
  • Client SAML Endpoint: http://localhost:8000/api/acs - This URL is where you want the Keycloak server to send SAML requests and responses. Generally, applications have one URL for processing SAML requests. Multiple URLs can be set in the Settings tab of the client.

Add Keycloak client

单击 Save(保存)。 此动作创建客户端并将您带到 设置 选项卡。

The following are part of the settings:

  1. 名称 - Casdoor. This is only used to display a friendly name to Keycloak users in the Keycloak UI. You can use any name you prefer.
  2. Enabled - Select on.
  3. Include Authn Statement - Select on.
  4. Sign Documents - Select on.
  5. Sign Assertions - Select off.
  6. Encrypt Assertions - Select off.
  7. Client Signature Required - Select off.
  8. Force Name ID Format - Select on.
  9. Name ID Format - Select username.
  10. 有效重定向 URI - 添加 http://localhost:8000/api/acs.
  11. Master SAML 处理 URL - http://localhost:8000/api/acs.
  12. 精良的谷物SAML端点配置
    1. 声明消费者服务公开绑定URL - http://localhost:8000/api/acs
    2. 声明消费者服务重定向绑定URL - http://localhost:8000/api/acs

保存该配置。

Configure Keycloak client

提示

If you want to sign the authn request, you need to enable the Client Signature Required option and upload the certificate generated by yourself. The private key and certificate used in Casdoor, token_jwt_key.key and token_jwt_key.pem, are located in the object directory. In Keycloak, you need to click the Keys tab, click the Import button, select Archive Format as Certificate PEM, and upload the certificate.

点击 安装 标签页。

For Keycloak <= 5.0.0, select Format Option - SAML Metadata IDPSSODescriptor and copy the metadata.

对于Keycloak 6.0.0+,选择格式选项 - Mod Mellon 文件 并点击 下载。 Unzip the downloaded.zip, locate idp-metadata.xml, and copy the metadata.

元数据下载

复制元数据

在Casdoor配置

在 Casdoor 中创建一个新的提供商。

选择分类为 SAML, 输入 Keycloak. Copy the content of metadata and paste it into the Metadata field. The values of Endpoint, IdP, and Issuer URL will be generated automatically after clicking the Parse button. Finally, click the Save button.

提示

如果您在 Keycloak 中启用 客户端签名需要 选项并上传证书, 请在 Casdoor 中启用 签名请求 选项。

Casdoor 提供商

编辑您想要在 Cassdoor 中配置的应用程序。 Select the provider you just added and click the Save button.

为应用程序添加提供商

验证效果

Go to the application you just configured and you will find a Keycloak icon on the login page.

Click the icon and you will be redirected to the Keycloak login page. After successful authentication, you will be logged into Casdoor.

Casdoor 登录