This is a ready solution for employing Keycloak with FIDO2/WebAuthn and OIDC (or SAML). Demos are included.
relying party (RP) | 2FA | 1FA |
---|---|---|
Apache (mod_auth_openidc ) |
demo #1 | demo #2 |
Apache (mod_shib ) |
demo #3 | demo #4 |
VMware vSphere | n/a | demo #6 |
ARG |
example | description |
---|---|---|
KEYCLOAK_DB |
postgres |
RDB for Keycloak |
KEYCLOAK_RELEASEVER |
9 | release version of RHEL for Keycloak container |
KEYCLOAK_VERSION |
latest |
Keycloak version |
kund
supports multiple tenants, e.g. both demos and production use cases.
Their common configuration resides in environment variables.
ENV |
example | |
---|---|---|
APP_IDS |
1 2 3 4 6 |
|
KEYCLOAK_DB_URL |
jdbc:postgres://localhost/keycloak |
|
KEYCLOAK_DB_USERNAME |
keycloak |
|
KEYCLOAK_EMAIL |
me@mydomain.com |
|
KEYCLOAK_PORT |
1. | 8444 |
REALM_IDS |
1 2 3 4 6 |
|
SMTP_SERVER |
mail.mydomain.com |
- optional; default is
8444
The following environment variables are only required to support the demos.
env | example | |
---|---|---|
APACHE_EMAIL |
me@mydomain.com |
|
APACHE_LOG_LEVEL |
1. | debug |
KEYCLOAK_LOG_LEVEL |
1. | debug |
KEYCLOAK_OIDC_REMOTE_USER_CLAIM |
given_name ^(.+?)(?:\s.+)?$ $1 |
|
LDAP_PORT | 3893 | |
VSPHERE_DOMAIN | 2. | mydomain.com |
VSPHERE_SERVER | 2. | https://vsphere.mydomain.com |
- optional; default is
info
- only required for demo #6
secret | keys | |
---|---|---|
keycloak-admin-password |
password |
1. |
keycloak-db-password |
password |
- password for user
admin
on Keycloak Administration Console
key | description |
---|---|
client_id |
see ClientRepresentation.id |
display_name |
see RealmRepresentation.displayName |
flow |
see AuthenticationFlowRepresentation.alias (kundk-1fa or kundk-2fa ) |
ldap_attribute_first_name |
|
ldap_auth_type |
see UserFederationProviderRepresentation.config.authType (for LDAP) |
ldap_bind_credential |
|
ldap_bind_dn |
see UserFederationProviderRepresentation.config.ldapBind (for LDAP) |
ldap_connection_url |
see UserFederationProviderRepresentation.config.connectionUrl (for LDAP) |
ldap_rdn_ldap_attribute |
|
ldap_username_ldap_attribute |
|
ldap_users_dn |
see UserFederationProviderRepresentation.config.userDn (for LDAP) |
ldap_user_object_class |
|
ldap_uuid_ldap_attribute |
see UserFederationProviderRepresentation.config.uuidLDAPAttribute |
post_logout_redirect_uri |
see ClientRepresentation.attributes."post.logout.redirect.uris" (for OIDC) |
protocol |
see ClientRepresentation.protocol |
realm |
see RealmRepresentation.realm |
redirect_uri |
ClientRepresentation.redirectUris (for OIDC) |
saml_assertion_consumer_url_redirect |
|
saml_single_logout_service_url_redirect |
|
vsphere_domain |
AD domain |