serpensalbus

Rancher v2.X KeyCloak Authentication Backend Configuration

Ranchers official documentation about how to configure the Rancher <> KeyCloak setup is fine but definitely not sufficient to successfully configure it (https://rancher.com/docs/rancher/v2.x/en/admin-settings/authentication/keycloak/). That's the reason why here every single required step is documented down here.

KeyCloak Configuration

I simply use the default master realm for the Rancher client. Nevertheless, it would sometimes absolutely make sense to use a custom KeyCloak realm.

1. Login as admin on https://keycloak.example.com/. Important: It's crucial that in KeyCloak the same username exists as you use as admin user on Rancher. Since I just use the admin account in this guide, this prerequisite is already achieved.
2. Create a new client under https://keycloak.example.com/auth/admin/master/console/#/realms/master/clients
   • Client ID: https://rancher.example.com/v1-saml/keycloak/saml/metadata

serpensalbus

'virtualUriMappings':
  'jcr:primaryType': mgnl:content
  'ssologin':
    'class': info.magnolia.multisite.mapping.MultiSiteRootVirtualUriMapping
    'fromUri': /sso
    'toUri': redirect:/.magnolia/admincentral

serpensalbus

'admincentral-sso':
  'authenticationServiceName': keycloakOpenIDConnectMagnoliaAdminCentral
  'class': info.magnolia.cms.security.auth.callback.SSOAuthenticationRedirectCallback
  'originalUrlPattern':
    'class': info.magnolia.cms.util.SimpleUrlPattern
    'patternString': /.magnolia/admincentral

serpensalbus

'superuser':
  'description': Superuser Group for SSO.
  'jcr:primaryType': mgnl:group
  'jcr:uuid': bd94e13f-12b7-47d1-a341-42a442d409d5
  'mgnl:created': 2019-07-23T16:14:34.779+02:00
  'mgnl:createdBy': superuser
  'mgnl:lastModified': 2020-01-17T16:09:14.515+01:00
  'mgnl:lastModifiedBy': superuser
  'title': superuser
  'groups':

serpensalbus

'keycloakOpenIDConnectMagnoliaAdminCentral':
  'accessTokenEndpoint': http://localhost:8180/auth/realms/Magnolia%20AdminCentral/protocol/openid-connect/token
  'authorizationBaseUrl': http://localhost:8180/auth/realms/Magnolia%20AdminCentral/protocol/openid-connect/auth
  'callbackURL': http://localhost:8080/magnoliaAuthor/.auth
  'clientId': mgnl-admincentral
  'clientSecret': 273263dd-4229-472d-a897-0083ed37ba01
  'endSessionEndpoint': http://localhost:8180/auth/realms/Magnolia%20AdminCentral/protocol/openid-connect/logout
  'externalGroupsManagement': true
  'openIdAccessTokenAttributeName': openIdToken
  'openIdEnabled': true

serpensalbus

/**
 * options for JCRAuthenticationModule module:
 *   realm: to restrict the login to a certain realm
 *   use_realm_callback: to allow the GUI to pass the realm to login into
 *   skip_on_previous_success: if true the login is scipped if a former module proceeded a successfull login
 *
 * example:
 *    info.magnolia.jaas.sp.jcr.JCRAuthenticationModule requisite realm=public;
 *    info.magnolia.jaas.sp.jcr.JCRAuthenticationModule requisite realm=admin skip_on_previous_success=true;
 */

serpensalbus

{"issuer":"http://localhost:8180/auth/realms/Magnolia%20AdminCentral","authorization_endpoint":"http://localhost:8180/auth/realms/Magnolia%20AdminCentral/protocol/openid-connect/auth","token_endpoint":"http://localhost:8180/auth/realms/Magnolia%20AdminCentral/protocol/openid-connect/token","token_introspection_endpoint":"http://localhost:8180/auth/realms/Magnolia%20AdminCentral/protocol/openid-connect/token/introspect","userinfo_endpoint":"http://localhost:8180/auth/realms/Magnolia%20AdminCentral/protocol/openid-connect/userinfo","end_session_endpoint":"http://localhost:8180/auth/realms/Magnolia%20AdminCentral/protocol/openid-connect/logout","jwks_uri":"http://localhost:8180/auth/realms/Magnolia%20AdminCentral/protocol/openid-connect/certs","check_session_iframe":"http://localhost:8180/auth/realms/Magnolia%20AdminCentral/protocol/openid-connect/login-status-iframe.html","grant_types_supported":["authorization_code","implicit","refresh_token","password","client_credentials"],"response_types_supported":["code",

serpensalbus

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE Repository PUBLIC "-//The Apache Software Foundation//DTD Jackrabbit 2.0//EN" "http://jackrabbit.apache.org/dtd/repository-2.0.dtd">
<Repository>
  <DataSources>
    <DataSource name="magnolia">
      <param name="driver" value="org.postgresql.Driver" />
      <param name="url" value="jdbc:postgresql://localhost:5432/magnolia" />
      <param name="user" value="mgnl" />
      <param name="password" value="mgnlpass" />
      <param name="databaseType" value="postgresql"/>

serpensalbus

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE Repository PUBLIC "-//The Apache Software Foundation//DTD Jackrabbit 2.0//EN" "http://jackrabbit.apache.org/dtd/repository-2.0.dtd">
<Repository>
  <DataSources>
    <DataSource name="magnolia">
      <param name="driver" value="org.postgresql.Driver" />
      <param name="url" value="jdbc:postgresql://localhost:5432/magnolia" />
      <param name="user" value="mgnl" />
      <param name="password" value="mgnlpass" />
      <param name="databaseType" value="postgresql"/>

serpensalbus

package com.serpensalbus.magnolia.articles.app.workbench;

import info.magnolia.ui.vaadin.integration.jcr.JcrItemId;
import info.magnolia.ui.vaadin.integration.jcr.JcrItemUtil;

import java.util.Comparator;

import javax.jcr.Item;
import javax.jcr.Node;