Using SAML for Single Sign-on to Foreman through Keycloak

Foreman supports delegation of authentication to external providers, and there’s documentation that explains how to use it to authenticate against a FreeIPA server. External sources of authentication also include LDAP and Active Directory.


This is a companion discussion topic for the original entry at https://theforeman.org/2018/06/using-saml-for-single-sign-on-to-foreman-through-keycloak.html

Nice work @codificat - this reply is mainly to test embedding blog comments on the blog page… :smiley:

Thanks @Gwmngilfen! I hope the post is useful.

Comments seem to work fine :wink: so looking forward to getting feedback from readers :writing_hand:

Hi,

I want to better understand the reliance on Keycloak. Is this guide 100% reliant on Keycloak or can one make this work for another idp like Jumpcloud with some tweaks?

I already have Jumpcloud as my idp and I tried to configure Apache Mellon accordingly. Jumpcloud have something called the ACS URL. When I login using their SAML2 connection I get either redirect to a page that does not exist or I trigger a infinite loop between the idp and SP. Or I trigger CSRF protection. In testing this I’m not using CA issued certs.

What could the URL used for passing authentication be?
/users/login/postResponse - Does not exist
/users/extlogin - Infinite loop
/users/login - CSRF protection error

Would another example be possible to use either Jumpcloud or AWS SSO for Foreman be possible?

Hello @daniejstriata,

Its is good to know about your interest in the Single Sign On feature.

The feature is supported only for OpenID Connect protocol, we do not support SAML :slight_smile: This might be the reason, you are facing difficulties in setting up your authentication environment.

For this feature, we have been very flexible and have followed the exact guidelines that are provided by the OpenID Connect spec and OAuth 2.0 rfc. IMO, if an IDP follows the same specifications then you should be able make use of this feature.

Let me know you have any further questions, I can always help you set it up. You can also get in touch with me on IRC at the #theforeman-dev channel :slight_smile:

Thank you,

Hello @daniejstriata,

I am so sorry, my comment might have sounded misleading. So, this post by @codificat is pretty old. This post inspired the future development of support for Single Sign On. We noticed that SAML was not suitable for Hammer (CLI) and we wanted to support both UI and CLI. Therefore, we decided to support only OpenID Connect.

Please refer to this documentation for configuration of the same: https://docs.theforeman.org/master/Administering_Red_Hat_Satellite/index-foreman.html#integrating-satellite-with-red-hat-single-sign-on-for-external-authentication

Thank you,

Thank you for your feedback. Is the article’s heading mentioning SAML not wrong? Should it be OpenID instead of SAML.

Hello @daniejstriata,

This article is actually correct and was intended to work with SAML. If you see the article carefully, it makes use of the mod_auth_mellon package which is kinda old now. In addition, we also needed a solution that would support both, UI and the CLI, therefore we decided to implement the whole thing in OpenID Connect.

Follow the new document and you will be good to go.

Thanks,

1 Like

Understood. Thanks for clarifying.

Is mod_auth_mellon going the way of the dodo? Should I investigate getting it to work for my other sites too? Foreman is on top of my list for sites that does not inherently support SSO and I wanted to use the lessons learned and apply it to the other sites as I thought I’d use mod_auth_mellon and configure all the non-sso sites in a similar way.

1 Like