I have createad a docker-compose environment with Keycloak:
################################
version: '3.7'
services:
mysql:
image: mysql:5.7.29
container_name: mysql-SSO
ports:
- "3306:3306"
environment:
- MYSQL_DATABASE=keycloak
- MYSQL_USER=keycloak
- MYSQL_PASSWORD=password
- MYSQL_ROOT_PASSWORD=root_password
healthcheck:
test: "mysqladmin ping -u root -p$${MYSQL_ROOT_PASSWORD}"
start_period: 10s
keycloak:
image: jboss/keycloak:9.0.3
container_name: keycloak-SSO
environment:
- KEYCLOAK_USER=admin
- KEYCLOAK_PASSWORD=admin
- DB_VENDOR=mysql
- DB_ADDR=mysql
- DB_USER=keycloak
- DB_PASSWORD=password
- JDBC_PARAMS=useSSL=false
ports:
- 8080:8080
depends_on:
- mysql
healthcheck:
test: "curl -f http://localhost:8080/auth || exit 1"
start_period: 10s
################################
At first I tryed to configure SSO using a Liferay Docker image:
docker run --name='liferay' -d -p 8081:8080 liferay/portal:7.1.0-ga1-201809012030
Unfortunately I have a redirection error on liferay when it receives the auth token from Keycloak. So I decided to give a test with a real instance of Liferay, so I installed it and started Liferay.
I changed Liferay Tomcat port to 8090.
So I did the following cofiguration steps:
on Keycloak:
- Realm Settings: click on Endpoints "OpenId Endpoint Configuration" and leave the tab opened, we well need those values in a while.
- Clients: Create new Client
- Credentials: copy client secrets.
- Identity Providers: Create a new idp: Keycloak OpenID Connect, use the tab we left open at step 1 to fill URLS and choose "Client secrets sent as basic auth" on Client Authentication, and the client-id has to be the same of the one configured before.
- Users: create a user, and set passwords in Credentials.
- On Liferay:
- Configuration -> System Settings -> SSO -> OpenIdConnect: Check Enabled
- Configuration -> System Settings -> SSO -> OpenId Connect Provider: create new provider:
- provider name: keycloak idp
- secret: keycloak clients secret
- Provider Name: from Keycloak
- OpenID Connect Client ID: from Keycloak
- OpenID connect client secret: from Keycloak
- Scopes: openid email profile
- Discovery Endpoint Cache in Milliseconds: 360000
- Authorization Endpoint: http://localhost:8080/auth/realms/master/protocol/openid-connect/auth
- Issuer URL: http://localhost:8080/auth/realms/master
- JWKS URI: http://localhost:8080/auth/realms/master/protocol/openid-connect/certs
- ID Token Signing Algorithms: RS256
- Subject Types: public
- Token Endpoint: http://localhost:8080/auth/realms/master/protocol/openid-connect/token
- User Information Endpoint: http://localhost:8080/auth/realms/master/protocol/openid-connect/userinfo
- Go to anonymous page and click on sign in. Then click on OpenId Connect.
- Login with the user created in Keycloak and pray.
Once signed in on Liferay through OpenIdConnect Liferay could require email verification.
If it happens we have to disable the functionality in authentication settings.
Nessun commento:
Posta un commento