Problem:
I’m getting the following error in Foreman after successfully logging into Keycloak as part of the extlogin process
2021-08-18T20:46:33 [I|app|96c46a9a] Started GET "/users/extlogin" for 64.125.235.5 at 2021-08-18 20:46:33 +0000
2021-08-18T20:46:33 [I|app|96c46a9a] Processing by UsersController#extlogin as HTML
2021-08-18T20:46:33 [W|app|96c46a9a] SSO failed
2021-08-18T20:46:33 [W|app|96c46a9a] falling back to login form
2021-08-18T20:46:33 [I|app|96c46a9a] Redirected to https://puppet-workstations.<redacted>.com/users/login
2021-08-18T20:46:33 [I|app|96c46a9a] Filter chain halted as :require_login rendered or redirected
2021-08-18T20:46:33 [I|app|96c46a9a] Completed 302 Found in 21ms (ActiveRecord: 0.9ms | Allocations: 10912)
Expected outcome:
The user logging in through Keycloak should be created and should be logged in.
Foreman and Proxy versions: 2.5.2
Distribution and version: Ubuntu 18.04.5 LTS
Keycloak version: 15.0.0
Other relevant data:
My Foreman instance is at https://puppet-workstations..com
My Keycloak instance is at https://keycloak..com:8443
I’m running Ubuntu 18.04 so my Apache configuration is a little different. I was able to install the apache2-mod-auth-openidc through the apt repository, and I was able to get the keycloak tool through the github repo GitHub - jdennis/keycloak-httpd-client-install: Python support for Keycloak.
keycloak-httpd-client-install --app-name foreman-openidc --keycloak-server-url https://keycloak.<redacted>.com.:8443 --keycloak-admin-username admin --keycloak-realm master --keycloak-admin-realm master --keycloak-auth-role root-admin -t openidc -l /users/extlogin
enter admin password:
[Step 1] Assure HTTP config directory is present
[Step 2] Assure HTTP federation directory is present
[Step 3] Set up template environment
[Step 4] Build OIDC httpd config file
[Step 5] Build Keycloak OIDC clientRepresentation
[Step 6] Connect to Keycloak Server as admin
[Step 7] Query realms from Keycloak server
[Step 8] Use existing realm on Keycloak server
[Step 9] Query realm clients from Keycloak server
[Step 10] Force delete client on Keycloak server
[Step 11] Creating new client from native
[Step 12] Completed Successfully
After running the keycloak-httpd-client-install tool I was able to get the Apache config in /etc/httpd/conf.d and move it under /etc/apache2/conf.d , and it looks to be loading fine as I’m able to get redirected to Keycloak when I try to access Foreman.
These are the Authentication settings I have in Foreman:
Authorize login delegation yes
Authorize login delegation
auth source user autocreate External
OIDC Algorithm RS256
OIDC Audience [puppet-workstations.<redacted>.com-foreman-openidc]
OIDC Issuer https://keycloak.<redacted>.com:8443/auth/realms/ssl-realm
OIDC JWKs URL https://keycloak.<redacted>.com:8443/auth/realms/ssl-realm/protocol/openid-connect/certs
And these are the Apache settings in the config created by the keycloak tool:
root@puppet-workstations:/etc/apache2/conf.d# cat foreman-openidc_oidc_keycloak_ssl-realm.conf
OIDCClientID puppet-workstations.<redacted>.com-foreman-openidc
OIDCProviderMetadataURL https://keycloak.<redacted>.com.:8443/auth/realms/ssl-realm/.well-known/openid-configuration
OIDCCryptoPassphrase c8d4ecdf527a
OIDCClientSecret 2a3844991756
OIDCRedirectURI https://puppet-workstations.<redacted>.com/users/extlogin/redirect_uri
OIDCRemoteUserClaim sub
<Location /users/extlogin>
AuthType openid-connect
Require valid-user
</Location>
I confirmed the Client ID and Secret match what’s in Keycloak. I created the “audience-mapper” and “group-mapper”. I also confirmed I have both “https://puppet-workstations..com/users/extlogin” and “https://puppet-workstations..com/users/extlogin/redirect_uri” listed in the Valid Redirect URIs in Keycloak.
Any help is greatly appreciated, and thank you in advance