I’m getting the following error in Foreman after successfully logging into Keycloak as part of the extlogin process
2021-08-18T20:46:33 [I|app|96c46a9a] Started GET "/users/extlogin" for 220.127.116.11 at 2021-08-18 20:46:33 +0000 2021-08-18T20:46:33 [I|app|96c46a9a] Processing by UsersController#extlogin as HTML 2021-08-18T20:46:33 [W|app|96c46a9a] SSO failed 2021-08-18T20:46:33 [W|app|96c46a9a] falling back to login form 2021-08-18T20:46:33 [I|app|96c46a9a] Redirected to https://puppet-workstations.<redacted>.com/users/login 2021-08-18T20:46:33 [I|app|96c46a9a] Filter chain halted as :require_login rendered or redirected 2021-08-18T20:46:33 [I|app|96c46a9a] Completed 302 Found in 21ms (ActiveRecord: 0.9ms | Allocations: 10912)
The user logging in through Keycloak should be created and should be logged in.
Foreman and Proxy versions: 2.5.2
Distribution and version: Ubuntu 18.04.5 LTS
Keycloak version: 15.0.0
Other relevant data:
My Foreman instance is at https://puppet-workstations..com
My Keycloak instance is at https://keycloak..com:8443
I’m running Ubuntu 18.04 so my Apache configuration is a little different. I was able to install the apache2-mod-auth-openidc through the apt repository, and I was able to get the keycloak tool through the github repo GitHub - jdennis/keycloak-httpd-client-install: Python support for Keycloak.
keycloak-httpd-client-install --app-name foreman-openidc --keycloak-server-url https://keycloak.<redacted>.com.:8443 --keycloak-admin-username admin --keycloak-realm master --keycloak-admin-realm master --keycloak-auth-role root-admin -t openidc -l /users/extlogin enter admin password: [Step 1] Assure HTTP config directory is present [Step 2] Assure HTTP federation directory is present [Step 3] Set up template environment [Step 4] Build OIDC httpd config file [Step 5] Build Keycloak OIDC clientRepresentation [Step 6] Connect to Keycloak Server as admin [Step 7] Query realms from Keycloak server [Step 8] Use existing realm on Keycloak server [Step 9] Query realm clients from Keycloak server [Step 10] Force delete client on Keycloak server [Step 11] Creating new client from native [Step 12] Completed Successfully
After running the keycloak-httpd-client-install tool I was able to get the Apache config in /etc/httpd/conf.d and move it under /etc/apache2/conf.d , and it looks to be loading fine as I’m able to get redirected to Keycloak when I try to access Foreman.
These are the Authentication settings I have in Foreman:
Authorize login delegation yes Authorize login delegation auth source user autocreate External OIDC Algorithm RS256 OIDC Audience [puppet-workstations.<redacted>.com-foreman-openidc] OIDC Issuer https://keycloak.<redacted>.com:8443/auth/realms/ssl-realm OIDC JWKs URL https://keycloak.<redacted>.com:8443/auth/realms/ssl-realm/protocol/openid-connect/certs
And these are the Apache settings in the config created by the keycloak tool:
root@puppet-workstations:/etc/apache2/conf.d# cat foreman-openidc_oidc_keycloak_ssl-realm.conf OIDCClientID puppet-workstations.<redacted>.com-foreman-openidc OIDCProviderMetadataURL https://keycloak.<redacted>.com.:8443/auth/realms/ssl-realm/.well-known/openid-configuration OIDCCryptoPassphrase c8d4ecdf527a OIDCClientSecret 2a3844991756 OIDCRedirectURI https://puppet-workstations.<redacted>.com/users/extlogin/redirect_uri OIDCRemoteUserClaim sub <Location /users/extlogin> AuthType openid-connect Require valid-user </Location>
I confirmed the Client ID and Secret match what’s in Keycloak. I created the “audience-mapper” and “group-mapper”. I also confirmed I have both “https://puppet-workstations..com/users/extlogin” and “https://puppet-workstations..com/users/extlogin/redirect_uri” listed in the Valid Redirect URIs in Keycloak.
Any help is greatly appreciated, and thank you in advance