Keycloak is used to provide SSO for most of our applications.
The Keycloak admin console shows two "realms" - master and uwcs. Master is the default realm and should not be used - all users and clients must go in the uwcs realm. Master has a single account, admin, to allow logging into the admin console.
New users can be created under the users tab, where you can also see users and manage their info. Users can also manage their own info using the accounts console, https://accounts.uwcs.co.uk
Users added to the 'exec' group get admin/sudo access on things that support group syncing, so only accounts that need root access to our infra should go in this group.
Keycloak is federated with the OpenLDAP directory, such that any accounts created in Keycloak are also created in LDAP.
Keycloak does not support POSIX schema, so users are created with a default uid number and gid number of -1 and a default home directory of /. This is then updated in the actual directory by a script in /home/joey/ldap-hack on the auth server, which assigns the proper attributes and creates the necessary associated group. The script runs every 5 minutes using cron, and logs are at /home/joey/ldap-hack/updates.log.
Admin console -> user federation -> ldap. Make sure the 'Enable the LDAPv3 password modify extended operation' remains turned on so that passwords get hashed before being put in the directory.
The mappers tab contains info about what attributes are created in LDAP and how they are mapped to data in keycloak. The 'group' mapper is what is used to sync ldap groupOfName classes to keycloak groups.
This is complicated and gets quite involved with the OAuth and OIDC protocols. The short version is:
https://auth.uwcs.co.uk/realms/uwcs/protocol/openid-connect/authhttps://auth.uwcs.co.uk/realms/uwcs/protocol/openid-connect/tokenhttps://auth.uwcs.co.uk/realms/uwcs/protocol/openid-connect/userinfopreferred_username.That's the simple bits, the rest is faff on a per-client basis. See the portainer config as an example.
If the application can sync groups/admin perms automatically, then do set this up. The groups info is under the 'groups' claim, and the admin group in keycloak is called 'exec'.
This is explained at Warwick SSO - the missing manual
Keycloak runs on the auth server on localtoast. It does not start on boot and must be started manually. sudo /home/joey/start-keycloak.sh will start it and leave it running in the background, logs are in /var/log/keycloak.log. See the start script for details on how it's configured.
The proxy/hostname config could certainly do with tidying up to better secure it, see: