rubysecurity.org

Cloud Architect / DevOps Engineer / SRE / Developer | /root

Home About Books Blog Portfolio Archive
12 December 2024

Deploying Keycloak Identity Provider (IdP) for secure Rancher User Authentication Part 1

by Alpha01

No words can explain the constant headaches I’ve gotten throughout my career when working with LDAP in the Unix/Linux world. While I’ve had plenty of experience working with it in the past (https://www.rubysecurity.org/tag/ldap), it’s certainly not the easiest or pleasant thing to work with. So I’m glad to see new (to me at least) Identity Provider (IdP) tools like Keycloak that can help us manage user identities, authentication, and access control across applications and systems in a much easier fashion. But more importantly supporting integrations with authentication mechanisms like OpenID Connect (OIDC), OAuth2, SAML to name a few.

Environment Setup

To get up and running quickly, I opted to deploy Keycloak on a Ubuntu 24.04 VM instead of the container/kubernetes approach.

1). Install required packages.

apt install openjdk-21-jre unzip

2). Download and extract keycloak.

cd /opt
wget https://github.com/keycloak/keycloak/releases/download/26.0.5/keycloak-26.0.5.zip
unzip keycloak-26.0.5.zip
ln -s keycloak-26.0.5 keycloak

3). Setup SSL certificates. At this stage, I had manually issued an Let’s Encrypt SSL certificate for sso.rubyninja.org for Keycloak. and copied it over to /opt/keycloak/conf/certs

4). Update the following settings on /opt/keycloak/conf/keycloak.conf.

# Hostname for the Keycloak server.
hostname=sso.rubyninja.org

# The file path to a private key in PEM format.
https-certificate-key-file=/opt/keycloak/conf/certs/MYKEY.key

# The file path to a server certificate or certificate chain in PEM format.
https-certificate-file=/opt/keycloak/conf/certs/MYCERT.crt

5). Create initial bootstrap admin username/password

/opt/keycloak/bin/kc.sh bootstrap-admin user
Enter username [temp-admin]:temp-admin
Enter password:
Enter password again:

5). Start up the application

screen -dm /opt/keycloak/bin/kc.sh start --verbose

After login in with the temp-admin account, I had to manually create a separate admin user.

By no means this is a production ready setup, but for a homelab environment for testing, this setup is more than sufficient for me.

Resources

Tags: [ kubernetes rancher keycloak security ]