search

flipboxfactory / saml-sp

SAML Service Provider (SP) Plugin for Craft CMS
https://saml-sp.flipboxfactory.com/
Other
19 stars 5 forks source link

Keycloak SSO Setup #111

Closed aloco closed 3 years ago

aloco commented 3 years ago

Hi,

thank you for working on this Craft extension!

We would like to use your extension for a variety of projects, currently I am having difficulties in setting up Craft CMS with a Keycloak IdP. I am sure this is just a matter of configuration, but currently I am lost since I am not experienced to SSO in general and would need some hints to proceed.

I will try to summarize the steps I have taken:

  1. I have set up the plugin and configured the SP (Craft Instance)
  2. It shows (My Provider) besides the label (already read that this is important)
  3. The EntityId is the url of the webpage
  4. I created a new keycloak client
  5. I copied over the generated XML from the SP to keycloak when creating a new client "import" -> "select from file"
  6. keycloak shows https://xxxxxxxxxxxxxx-cloud.at/sso/login/d972f78f-fa5d-4dd6-a283-a72f8f7128b6 as Valid Redirect URIs and as Assertation Consumer Service POST Binding URL
  7. keycloak shows https://xxxxxxxxxxxxxx-cloud.at/sso/logout/d972f78f-fa5d-4dd6-a283-a72f8f7128b6 as Logout Service POST Binding URL and as Logout Service Redirect Binding URL
  8. Then in keycloak I navigate to "Installation" and choosing "SAML Metadata SPSSODescriptor" to generate the configuration XML
  9. Next I create the IdP in Craft CMS and copy over the XML from keycloak
  10. It shows the same EntityId as the SP (is this right?)
  11. The UID for the IdP is 468269e5-0804-4cec-95e1-d55a7a0980c9
  12. next I insert 'loginPath' => '/sso/login/request/468269e5-0804-4cec-95e1-d55a7a0980c9/d972f78f-fa5d-4dd6-a283-a72f8f7128b6' to my config.php
  13. I think I am done, I try to login on /admin with keycloak
  14. When clicking the login button, I always get an exception from Craft saying IdP Metadata is missing SSO Service

What I am missing here?

dsmrt commented 3 years ago

👋

I’ve never used Keycloak, so this one is new to me but it looks interesting!

i am wondering if you used the sp metadata from keycloak instead of the IdP metadata. If the SP and IdP should not have the same Entity ID. That is the unique id for the provider. Also, the error might hint at this as well because it’s missing items needed to process the sso (which idp metadata may have but sp doesn’t).

Look at contents and compare both metadata xml and see if they are the same. If they are this confirms the issue.

In Keycloak, you should be able to download their IdP metadata and import that into the Craft plugin.

aloco commented 3 years ago

Hi,

I figured it out. You were right, keycloak is also generating metadata for the SP which I wrongly used for the IdP metadata within the plugin. In keycloak you can find the IdP metadata when you go to "realm settings" -> "general" -> "endpoints". However, the SAML 2.0 Identity Provider Metadata results in a XML File with a list of Entity Descriptors as root element. Therefore the plugin can´t parse the XML, you must copy the desired <md:EntityDescriptor entry from the XML, not the whole file. This might help someone in the future :)

Thank you for the small hint 👍