I have been working on the SSO integration with foreman using keycloak, my finding are( refering to the awesome blog post by Pep: https://www.theforeman.org/2018/06/using-saml-for-single-sign-on-to-foreman-through-keycloak.html):
- By default, when we try to login in to https://foreman.example.com we get directly redirected to the saml page.
- For internal users to login, they need to specifically mention https://foreman.example.com /users/login
- Once logged in via sso we have the user created within foreman with the permissions and roles that are specified in keycloak for the user.
Suggestions on how to implement keycloak :
The current configuration leads to the user to remeber two urls
a) https://foreman.example.com or https://foreman.example.com /users/extlogin
b) https://foreman.example.com /users/login
Instead, i would suggest we can have a link on the login page that says external login to
redirect to the keycloak authentication page.
Having an option for enabling/disabling the keycloak service from the foreman-installer. This would
enable the users to decide whether they require/need this feature or not.
These are my thoughts for implementing sso with foreman, any suggestions or comments would be highly appreciated