User Federation changes
parent
ead4688ce6
commit
247d8b8a22
|
@ -69,18 +69,18 @@ ansible-playbook -i <ansible_hosts> -e @rhn-creds.yml playbooks/keycloak.yml -e
|
||||||
|
|
||||||
### Config Playbook
|
### Config Playbook
|
||||||
|
|
||||||
`playbooks/keycloak-realm.yml` creates provided realm, client(s), client role(s) and client user(s) if they don't exist.
|
`playbooks/keycloak-realm.yml` creates provided realm, user federation(s), client(s), client role(s) and client user(s) if they don't exist.
|
||||||
|
|
||||||
### Config role
|
### Config role
|
||||||
|
|
||||||
* [`keycloak_realm`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak_realm/README.md): role for configuring a realm, with clients and users, in an installed service.
|
* [`keycloak_realm`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak_realm/README.md): role for configuring a realm, user federation(s), clients and users, in an installed service.
|
||||||
|
|
||||||
### Example configuration command
|
### Example configuration command
|
||||||
|
|
||||||
Execute the following command from the source root directory
|
Execute the following command from the source root directory
|
||||||
|
|
||||||
```
|
```
|
||||||
ansible-playbook -i <ansible_hosts> -e @rhn-creds.yml playbooks/keycloak.yml -e keycloak_admin_password=<changeme> -e keycloak_realm=test
|
ansible-playbook -i <ansible_hosts> playbooks/keycloak-realm.yml -e keycloak_admin_password=<changeme> -e keycloak_realm=test
|
||||||
```
|
```
|
||||||
|
|
||||||
- `keycloak_admin_password` password for the administration console user account.
|
- `keycloak_admin_password` password for the administration console user account.
|
||||||
|
|
|
@ -8,6 +8,46 @@
|
||||||
vars:
|
vars:
|
||||||
keycloak_admin_password: "changeme"
|
keycloak_admin_password: "changeme"
|
||||||
keycloak_realm: TestRealm
|
keycloak_realm: TestRealm
|
||||||
|
keycloak_user_federation:
|
||||||
|
- realm: TestRealm
|
||||||
|
name: my-ldap
|
||||||
|
provider_id: ldap
|
||||||
|
provider_type: org.keycloak.storage.UserStorageProvider
|
||||||
|
config:
|
||||||
|
priority: '0'
|
||||||
|
enabled: true
|
||||||
|
cachePolicy: DEFAULT
|
||||||
|
batchSizeForSync: '1000'
|
||||||
|
editMode: READ_ONLY
|
||||||
|
importEnabled: true
|
||||||
|
syncRegistrations: false
|
||||||
|
vendor: other
|
||||||
|
usernameLDAPAttribute: uid
|
||||||
|
rdnLDAPAttribute: uid
|
||||||
|
uuidLDAPAttribute: entryUUID
|
||||||
|
userObjectClasses: inetOrgPerson, organizationalPerson
|
||||||
|
connectionUrl: ldaps://ldap.example.com:636
|
||||||
|
usersDn: ou=Users,dc=example,dc=com
|
||||||
|
authType: simple
|
||||||
|
bindDn: cn=directory reader
|
||||||
|
bindCredential: password
|
||||||
|
searchScope: '1'
|
||||||
|
validatePasswordPolicy: false
|
||||||
|
trustEmail: false
|
||||||
|
useTruststoreSpi: ldapsOnly
|
||||||
|
connectionPooling: true
|
||||||
|
pagination: true
|
||||||
|
allowKerberosAuthentication: false
|
||||||
|
debug: false
|
||||||
|
useKerberosForPasswordAuthentication: false
|
||||||
|
mappers:
|
||||||
|
- name: "full name"
|
||||||
|
providerId: "full-name-ldap-mapper"
|
||||||
|
providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
|
||||||
|
config:
|
||||||
|
ldap.full.name.attribute: cn
|
||||||
|
read.only: true
|
||||||
|
write.only: false
|
||||||
keycloak_clients:
|
keycloak_clients:
|
||||||
- name: TestClient1
|
- name: TestClient1
|
||||||
roles:
|
roles:
|
||||||
|
|
|
@ -14,6 +14,8 @@ Role Defaults
|
||||||
|`keycloak_http_port` | HTTP port | `8080` |
|
|`keycloak_http_port` | HTTP port | `8080` |
|
||||||
|`keycloak_https_port` | TLS HTTP port | `8443` |
|
|`keycloak_https_port` | TLS HTTP port | `8443` |
|
||||||
|`keycloak_auth_realm` | Name of the main authentication realm | `master` |
|
|`keycloak_auth_realm` | Name of the main authentication realm | `master` |
|
||||||
|
|`keycloak_rhsso_enable` | Define service is an upstream(Keycloak) or RHSSO | `master` |
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Role Variables
|
Role Variables
|
||||||
|
@ -35,10 +37,29 @@ The following variables are available for creating clients:
|
||||||
|`keycloak_client_default_roles` | List of default role name for clients | `[]` |
|
|`keycloak_client_default_roles` | List of default role name for clients | `[]` |
|
||||||
|`keycloak_client_users` | List of user/role mappings for a client | `[]` |
|
|`keycloak_client_users` | List of user/role mappings for a client | `[]` |
|
||||||
|
|
||||||
|
The following variable are available for creating user federation:
|
||||||
|
|
||||||
|
| Variable | Description | Default |
|
||||||
|
|:---------|:------------|:---------|
|
||||||
|
|`keycloak_user_federation` | List of _keycloak_user_federation_ for the realm | `[]` |
|
||||||
|
|
||||||
|
|
||||||
Variable formats
|
Variable formats
|
||||||
----------------
|
----------------
|
||||||
|
|
||||||
|
* `keycloak_user_federation`, a list of:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
- realm: <name of the realm in which user federation should be configured, required>
|
||||||
|
name: <name of the user federation provider, required>
|
||||||
|
provider_id: <Type of the user federation provider, required>
|
||||||
|
provider_type: < Provider Type, default is set to org.keycloak.storage.UserStorageProvider>
|
||||||
|
config: <Dictionary of supported configuration values, required>
|
||||||
|
mappers: <List of supported configuration values, required>
|
||||||
|
```
|
||||||
|
|
||||||
|
Refer to [docs](https://docs.ansible.com/ansible/latest/collections/community/general/keycloak_user_federation_module.html) for information on supported variables.
|
||||||
|
|
||||||
* `keycloak_clients`, a list of:
|
* `keycloak_clients`, a list of:
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
|
@ -71,7 +92,6 @@ Variable formats
|
||||||
|
|
||||||
For a comprehensive example, refer to the [playbook](playbooks/keycloak.yml).
|
For a comprehensive example, refer to the [playbook](playbooks/keycloak.yml).
|
||||||
|
|
||||||
|
|
||||||
Example Playbook
|
Example Playbook
|
||||||
----------------
|
----------------
|
||||||
|
|
||||||
|
|
|
@ -9,6 +9,9 @@ keycloak_admin_user: admin
|
||||||
keycloak_auth_realm: master
|
keycloak_auth_realm: master
|
||||||
keycloak_auth_client: admin-cli
|
keycloak_auth_client: admin-cli
|
||||||
|
|
||||||
|
### List of Keycloak User Federation
|
||||||
|
keycloak_user_federation: []
|
||||||
|
|
||||||
### Keycloak realm client defaults
|
### Keycloak realm client defaults
|
||||||
# list of clients to create in the realm
|
# list of clients to create in the realm
|
||||||
#
|
#
|
||||||
|
|
|
@ -34,6 +34,24 @@
|
||||||
status_code: 201
|
status_code: 201
|
||||||
when: keycloak_realm_exists.status == 404
|
when: keycloak_realm_exists.status == 404
|
||||||
|
|
||||||
|
- name: Create user federation
|
||||||
|
community.general.keycloak_user_federation:
|
||||||
|
auth_keycloak_url: "{{ keycloak_url }}/auth"
|
||||||
|
auth_realm: "{{ keycloak_auth_realm }}"
|
||||||
|
auth_username: "{{ keycloak_admin_user }}"
|
||||||
|
auth_password: "{{ keycloak_admin_password }}"
|
||||||
|
realm: "{{ item.realm }}"
|
||||||
|
name: "{{ item.name }}"
|
||||||
|
state: present
|
||||||
|
provider_id: "{{ item.provider_id }}"
|
||||||
|
provider_type: "{{ item.provider_type | default(org.keycloak.storage.UserStorageProvider) }}"
|
||||||
|
config: "{{ item.config }}"
|
||||||
|
mappers: "{{ item.mappers | default(omit) }}"
|
||||||
|
register: create_user_federation_result
|
||||||
|
loop: "{{ keycloak_user_federation | flatten }}"
|
||||||
|
when: keycloak_user_federation is defined
|
||||||
|
|
||||||
|
|
||||||
- name: Create Client
|
- name: Create Client
|
||||||
community.general.keycloak_client:
|
community.general.keycloak_client:
|
||||||
auth_client_id: "{{ keycloak_auth_client }}"
|
auth_client_id: "{{ keycloak_auth_client }}"
|
||||||
|
|
|
@ -13,4 +13,4 @@ keycloak_clients:
|
||||||
# other settings
|
# other settings
|
||||||
keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port }}"
|
keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port }}"
|
||||||
keycloak_management_url: "http://{{ keycloak_host }}:{{ keycloak_management_http_port }}"
|
keycloak_management_url: "http://{{ keycloak_host }}:{{ keycloak_management_http_port }}"
|
||||||
keycloak_rhsso_enable: "{{ True if rhsso_rhn_id is defined else False }}"
|
keycloak_rhsso_enable: False
|
Loading…
Reference in New Issue