Skip to content

Instantly share code, notes, and snippets.

Avatar

Lars Fischer serpensalbus

  • Germany
View GitHub Profile
@serpensalbus
serpensalbus / rancher-keycloak-idp-configuration.md
Last active Jan 20, 2021 — forked from PhilipSchmid/rancher-keycloak-idp-configuration.md
Rancher v2.X KeyCloak Authentication Backend Configuration
View rancher-keycloak-idp-configuration.md

Rancher v2.X KeyCloak Authentication Backend Configuration

Ranchers official documentation about how to configure the Rancher <> KeyCloak setup is fine but definitely not sufficient to successfully configure it (https://rancher.com/docs/rancher/v2.x/en/admin-settings/authentication/keycloak/). That's the reason why here every single required step is documented down here.

KeyCloak Configuration

I simply use the default master realm for the Rancher client. Nevertheless, it would sometimes absolutely make sense to use a custom KeyCloak realm.

  1. Login as admin on https://keycloak.example.com/. Important: It's crucial that in KeyCloak the same username exists as you use as admin user on Rancher. Since I just use the admin account in this guide, this prerequisite is already achieved.
  2. Create a new client under https://keycloak.example.com/auth/admin/master/console/#/realms/master/clients
    • Client ID: https://rancher.example.com/v1-saml/keycloak/saml/metadata
@serpensalbus
serpensalbus / config.modules.sso-connector.virtualUriMappings.yaml
Last active Feb 4, 2020
Virtual URI mapping example for bootstrapping in Magnolia
View config.modules.sso-connector.virtualUriMappings.yaml
'virtualUriMappings':
'jcr:primaryType': mgnl:content
'ssologin':
'class': info.magnolia.multisite.mapping.MultiSiteRootVirtualUriMapping
'fromUri': /sso
'toUri': redirect:/.magnolia/admincentral
View config.server.filters.securityCallback.clientCallbacks.admincentral-sso.yaml
'admincentral-sso':
'authenticationServiceName': keycloakOpenIDConnectMagnoliaAdminCentral
'class': info.magnolia.cms.security.auth.callback.SSOAuthenticationRedirectCallback
'originalUrlPattern':
'class': info.magnolia.cms.util.SimpleUrlPattern
'patternString': /.magnolia/admincentral
View usergroups.superuser.yaml
'superuser':
'description': Superuser Group for SSO.
'jcr:primaryType': mgnl:group
'jcr:uuid': bd94e13f-12b7-47d1-a341-42a442d409d5
'mgnl:created': 2019-07-23T16:14:34.779+02:00
'mgnl:createdBy': superuser
'mgnl:lastModified': 2020-01-17T16:09:14.515+01:00
'mgnl:lastModifiedBy': superuser
'title': superuser
'groups':
View config.modules.sso-connector.config.authenticationServices.keycloa…liaAdminCentral.yaml
'keycloakOpenIDConnectMagnoliaAdminCentral':
'accessTokenEndpoint': http://localhost:8180/auth/realms/Magnolia%20AdminCentral/protocol/openid-connect/token
'authorizationBaseUrl': http://localhost:8180/auth/realms/Magnolia%20AdminCentral/protocol/openid-connect/auth
'callbackURL': http://localhost:8080/magnoliaAuthor/.auth
'clientId': mgnl-admincentral
'clientSecret': 273263dd-4229-472d-a897-0083ed37ba01
'endSessionEndpoint': http://localhost:8180/auth/realms/Magnolia%20AdminCentral/protocol/openid-connect/logout
'externalGroupsManagement': true
'openIdAccessTokenAttributeName': openIdToken
'openIdEnabled': true
@serpensalbus
serpensalbus / jaas.config
Created Feb 4, 2020
JAAS config Magnolia example configuration file
View jaas.config
/**
* options for JCRAuthenticationModule module:
* realm: to restrict the login to a certain realm
* use_realm_callback: to allow the GUI to pass the realm to login into
* skip_on_previous_success: if true the login is scipped if a former module proceeded a successfull login
*
* example:
* info.magnolia.jaas.sp.jcr.JCRAuthenticationModule requisite realm=public;
* info.magnolia.jaas.sp.jcr.JCRAuthenticationModule requisite realm=admin skip_on_previous_success=true;
*/
View well-known-config.json
{"issuer":"http://localhost:8180/auth/realms/Magnolia%20AdminCentral","authorization_endpoint":"http://localhost:8180/auth/realms/Magnolia%20AdminCentral/protocol/openid-connect/auth","token_endpoint":"http://localhost:8180/auth/realms/Magnolia%20AdminCentral/protocol/openid-connect/token","token_introspection_endpoint":"http://localhost:8180/auth/realms/Magnolia%20AdminCentral/protocol/openid-connect/token/introspect","userinfo_endpoint":"http://localhost:8180/auth/realms/Magnolia%20AdminCentral/protocol/openid-connect/userinfo","end_session_endpoint":"http://localhost:8180/auth/realms/Magnolia%20AdminCentral/protocol/openid-connect/logout","jwks_uri":"http://localhost:8180/auth/realms/Magnolia%20AdminCentral/protocol/openid-connect/certs","check_session_iframe":"http://localhost:8180/auth/realms/Magnolia%20AdminCentral/protocol/openid-connect/login-status-iframe.html","grant_types_supported":["authorization_code","implicit","refresh_token","password","client_credentials"],"response_types_supported":["code",
@serpensalbus
serpensalbus / jackrabbit-bundle-postgres-search-database.xml
Last active Nov 13, 2019
JCR / Jackrabbit configuration for using Magnolia CMS with PostgreSQL without filesystem. Example configuration file used in the blog post https://www.lars-fischer.me/posts/2018/setup-magnolia-and-postgresql-under-macos/. The article shows you how to configure Magnolia CMS with PostgreSQL. All content is stored in the DB.
View jackrabbit-bundle-postgres-search-database.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE Repository PUBLIC "-//The Apache Software Foundation//DTD Jackrabbit 2.0//EN" "http://jackrabbit.apache.org/dtd/repository-2.0.dtd">
<Repository>
<DataSources>
<DataSource name="magnolia">
<param name="driver" value="org.postgresql.Driver" />
<param name="url" value="jdbc:postgresql://localhost:5432/magnolia" />
<param name="user" value="mgnl" />
<param name="password" value="mgnlpass" />
<param name="databaseType" value="postgresql"/>
@serpensalbus
serpensalbus / jackrabbit-bundle-postgres-search.xml
Last active Nov 13, 2019
JCR / Jackrabbit configuration for using Magnolia CMS with PostgreSQL. Example configuration file used in the blog post https://www.lars-fischer.me/posts/2018/setup-magnolia-and-postgresql-under-macos/. The article shows you how to configure Magnolia CMS with PostgreSQL.
View jackrabbit-bundle-postgres-search.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE Repository PUBLIC "-//The Apache Software Foundation//DTD Jackrabbit 2.0//EN" "http://jackrabbit.apache.org/dtd/repository-2.0.dtd">
<Repository>
<DataSources>
<DataSource name="magnolia">
<param name="driver" value="org.postgresql.Driver" />
<param name="url" value="jdbc:postgresql://localhost:5432/magnolia" />
<param name="user" value="mgnl" />
<param name="password" value="mgnlpass" />
<param name="databaseType" value="postgresql"/>
@serpensalbus
serpensalbus / CategoryColumnComparator.java
Created Feb 23, 2017
Custom sorting of columns in Magnolia 5 content apps
View CategoryColumnComparator.java
package com.serpensalbus.magnolia.articles.app.workbench;
import info.magnolia.ui.vaadin.integration.jcr.JcrItemId;
import info.magnolia.ui.vaadin.integration.jcr.JcrItemUtil;
import java.util.Comparator;
import javax.jcr.Item;
import javax.jcr.Node;