具有SAML，Keycloak和Nextcloud的SSO [英] SSO with SAML, Keycloak and Nextcloud

问题描述

我正在尝试将Keycloak设置为IdP(身份提供商)并将Nextcloud设置为服务.我想设置Keycloak以显示SSO(单点登录)页面.

I am trying to setup Keycloak as a IdP (Identity Provider) and Nextcloud as a service. I want to setup Keycloak as to present a SSO (single-sign-on) page.

我正在运行具有Intel兼容CPU的Linux服务器.什么是正确的配置?

I am running a Linux-Server with a Intel compatible CPU. What is the correct configuration?

• Keycloak将以 https://kc.domain.com
的身份运行
• Nextcloud将以 https://nc.domain.com
的身份运行

• Keycloak will be running as https://kc.domain.com
• Nextcloud will be running as https://nc.domain.com

推荐答案

前提条件

要使用此答案，您需要将domain.com替换为您拥有的实际域.另外，将email@domain.com替换为您的工作电子邮件地址.

Prerequisite

To use this answer you will need to replace domain.com with a actual domain you own. Also replace email@domain.com with your working e-mail address.

假定您已安装并正在运行docker和docker-compose.

It is assumed you have docker and docker-compose installed and running.

除了使用keycloak和nextcloud之外，我还使用:

In addition to keycloak and nextcloud I use:

• nginx 作为反向代理
• letsencyrpt 生成子域的SSL证书.

• nginx as a reverse-proxy
• letsencyrpt to generate the SSL-certificates for the sub-domains.

我正在使用docker和docker-compose设置所有必需的服务. docker-compose.yml的外观如下:

I'm setting up all the needed service with docker and docker-compose. This is how the docker-compose.yml looks like this:

version: '2'

  nginx-proxy:
    image: jwilder/nginx-proxy
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - "/etc/nginx/vhost.d"
      - "./proxy-default.conf:/etc/nginx/conf.d/my-proxy.default.conf:ro"
      - "/usr/share/nginx/html"
      - "/var/run/docker.sock:/tmp/docker.sock:ro"
      - "./le-cert:/etc/nginx/certs:ro"
    labels:
      com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy: "true"

  letsencrypt-nginx-proxy-companion:
    image: jrcs/letsencrypt-nginx-proxy-companion
    restart: unless-stopped
    depends_on:
      - nginx-proxy
    container_name: le-proxy-companion
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "./le-cert:/etc/nginx/certs:rw"
    volumes_from:
      - nginx-proxy

  keycloak:
    image: jboss/keycloak
    links:
      - keycloak-postgres:postgres
    ports:
      - 8080:8080
    volumes:
      - ./keycloak:/opt/jboss/keycloak
    environment:
      - KEYCLOAK_USER=admin
      - KEYCLOAK_PASSWORD=admin
      - "PROXY_ADDRESS_FORWARDING=true"
      - VIRTUAL_PORT=8080
      - VIRTUAL_HOST=kc.domain.com
      - LETSENCRYPT_HOST=kc.domain.com
      - LETSENCRYPT_EMAIL=email@domain.com

  keycloak-postgres:
    image: postgres
    environment:
      - POSTGRES_DB=keycloak
      - POSTGRES_USER=keycloak
      - POSTGRES_PASSWORD=keycloak

  nextcloud:
    image: hoellen/nextcloud
    environment:
      - UPLOAD_MAX_SIZE=10G
      - APC_SHM_SIZE=128M
      - OPCACHE_MEM_SIZE=128
      - CRON_PERIOD=15m
      - TZ=Europe/Berlin
      - DOMAIN=nc.domain.com
      - ADMIN_USER=admin
      - ADMIN_PASSWORD=admin
      - DB_TYPE=mysql
      - DB_NAME=nextcloud
      - DB_USER=nextcloud
      - DB_PASSWORD=nextcloud
      - DB_HOST=nc-db
    volumes:
      - ./nc/nc-data:/data
      - ./nc/nc-config:/config
      - ./nc/nc-apps:/apps2
      - ./nc/nc-themes:/nextcloud/themes
    environment:
      - VIRTUAL_HOST=nc.domain.com
      - LETSENCRYPT_HOST=nc.domain.com
      - LETSENCRYPT_EMAIL=email@domain.com

  nc-db:
    image: mariadb
    volumes:
      - ./nc/nc-db:/var/lib/mysql
    environment:
      - MYSQL_ROOT_PASSWORD=nextcloud
      - MYSQL_PASSWORD=nextcloud
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloud

我将docker-files放在文件夹docker中，在该文件夹中有一个项目特定的文件夹.在这里keycloak.使用以下方法创建它们:

I put my docker-files in a folder docker and within this folder a project-specific folder. Here keycloak. Create them with:

mkdir -p ~/docker/keycloak

使用首选编辑器在此文件夹中创建docker-compose.yml-文件.通过以下方式启动服务:

Create the docker-compose.yml-File with your preferred editor in this folder. Start the services with:

cd ~/docker/keycloak
docker-compose up -d

请稍等片刻，让服务下载并启动.检查是否一切都在运行:

Wait a moment to let the services download and start. Check if everything is running with:

docker-compose ps

如果服务未运行.发出第二个docker-compose up -d并再次检查.

If a service isn't running. Issue a second docker-compose up -d and check again.

打开浏览器，然后转到 https://kc.domain.com .点击管理控制台.按照docker-compose.yml中的指定，用户名和密码为admin.

Open a browser and go to https://kc.domain.com . Click on Administration Console. As specified in your docker-compose.yml, Username and Password is admin.

在页面的左上角，您需要创建一个新的 Realm .单击Add.输入 my-realm 作为名称.点击Save.

On the top-left of the page you need to create a new Realm. Click Add. Enter my-realm as name. Click Save.

单击Keys-选项卡.查看RSA条目.我们将需要复制该行的证书.单击Certificate，然后将内容复制粘贴到文本编辑器中，以备后用.

Click on the Keys-tab. Look at the RSA-entry. We will need to copy the Certificate of that line. Click on Certificate and copy-paste the content to a text editor for later use.

打开终端并发出:

openssl req  -nodes -new -x509  -keyout private.key -out public.cert

这将创建两个文件:private.key和public.cert，稍后我们将需要它们用于nextcloud服务.

This creates two files: private.key and public.cert which we will need later for the nextcloud service.

打开浏览器，然后转到 https://nc.domain.com .按照docker-compose.yml中的指定，用户名和密码为admin.

Open a browser and go to https://nc.domain.com . As specified in your docker-compose.yml, Username and Password is admin.

您需要激活默认情况下禁用的SSO & Saml Authenticate.

You need to activate the SSO & Saml Authenticate which is disabled by default.

重要从此处开始，在测试通过并运行设置之前，不要关闭当前的浏览器窗口.如果您在一切正常之前关闭浏览器，则可能无法再在nextcloud中更改设置.在这种情况下，您将需要停止nextcloud-和nextcloud-db-container，删除它们各自的文件夹，重新创建它们，然后重新开始.

Important From here on don't close your current browser window until the setup is tested and running. If you close the browser before everything works you probably not be able to change your settings in nextcloud anymore. In such a case you will need to stop the nextcloud- and nextcloud-db-container, delete their respective folders, recreate them and start all over again.

单击右上角的齿轮符号，然后单击+ Apps-符号.现在在左侧看到带有条目Security的菜单栏.点击它.现在，您将看到所有已实现安全性的应用程序.单击SSO & SAML authentication应用程序下方的Activate按钮.

Click on top-right gear-symbol and the then on the + Apps-sign. On the left now see a Menu-bar with the entry Security. Click it. You now see all security realted apps. Click on the Activate button below the SSO & SAML authentication App.

再次单击右上角的齿轮符号，然后单击Admin.点击SSO & SAML authentication.

Click on top-right gear-symbol again and click on Admin. Click on SSO & SAML authentication.

使用以下值:

• 将UID映射到的属性:用户名
• 启用对Nextcloud桌面客户端使用SAML身份验证(需要用户重新身份验证)"
• 将public.cert的内容复制到"X.509证书"字段中
• 将private.key的内容复制到服务提供商的私钥"字段中.
• IdP的标识符: https://kc.domain.com/auth/realms/my-realm
• SP将在其中发送身份验证请求消息的IdP的URL目标: https://kc.domain.com/auth/realms/my-realm/protocol/saml
• SP将在其中发送SLO请求的IdP的URL位置:
• 在服务提供商数据中:
  • 属性，显示名称:用户名
  • 属性，电子邮件地址: email 点击Download metadata XML并保存文件以进行下一步.
  • Attribute to map UID to: username
  • Enable "Use SAML auth for the Nextcloud desktop clients (requires user re-authentication)"
  • Copy the content of public.cert into the 'X.509 Certificate'-field
  • Copy the content of private.key into the 'Private key of Service Provider'-field.
  • Identifier of the IdP: https://kc.domain.com/auth/realms/my-realm
  • URL Target of the IdP where the SP will send the Authentication Request Message: https://kc.domain.com/auth/realms/my-realm/protocol/saml
  • URL Location of IdP where the SP will send the SLO Request: https://kc.domain.com/auth/realms/my-realm/protocol/saml
  • Public X.509 certificate of the IdP: Copy the certificate from Keycloak from the Keys-tab of my-realm. You will need to add '-----BEGIN CERTIFICATE-----' in front of the key and '-----END CERTIFICATE-----' to the end of it.
  • In Service Provider Data:
    • Attribute, displayname: username
    • Attribute, email adress: email Click Download metadata XML and save the file for the next step.
    • 指示此SP发送的消息是否将被签名. [SP的元数据将提供此信息]
    • 指示此SP发送的消息是否将被签名.
    • 指示是否将对此SP发送的消息进行签名.
    • 指示对此SP接收到的和元素进行签名的要求.
    • 指示对此SP接收的元素进行签名的要求. [SP的元数据将提供此信息]

    再次访问管理员控制台.单击Clients，然后在右上角单击Create-按钮.

    Access the Administror Console again. Click on Clients and on the top-right click on the Create-Button.

    在导入"旁边，单击"Select File"按钮.选择您在Nextcloud的最后一步中创建的XML文件.

    Next to Import, Click the Select File-Button. Select the XML-File you've create on the last step in Nextcloud.

    更改:

    • 客户端SAML端点: https://kc.domain.com/auth /realms/my-realm

    ，然后单击Save.

    将显示一个新屏幕.更改以下字段:

    You are presented with a new screen. Change the following fields:

    • 名称: Nextcloud
    • 有效的重定向URI: https://nc.domain.com/ *
    • 点击Save
    • Name: Nextcloud
    • Valid Redirect URIs: https://nc.domain.com/ *
    • Click Save

    在标签上Matters:

    • 点击预先设置的role list
    上的Delete-按钮
    • 点击Create
      • 名称:用户名
      • 映射器类型:用户属性
      • 属性:用户名
      • SAML属性名称:用户名
      • SAML属性名称格式:基本
      • 点击Save
      • Click Delete-Button on the preassigned role list
      • Click Create
        • Name: username
        • Mapper Type: User Property
        • Property: username
        • SAML Attribute Name: username
        • SAML Attribute NameFormat: Basic
        • Click Save
        • 名称:电子邮件
        • 映射器类型:用户属性
        • 属性:电子邮件
        • SAML属性名称:电子邮件
        • SAML属性名称格式:基本
        • 点击Save
        • Name: email
        • Mapper Type: User Property
        • Property: email
        • SAML Attribute Name: email
        • SAML Attribute NameFormat: Basic
        • Click Save
        • 名称: Roles
        • 映射器类型:角色列表
        • 角色属性名称:角色
        • 好记的名字:角色
        • SAML属性名称格式:基本
        • 单一角色归属:开启
        • 点击Save
        • Name: Roles
        • Mapper Type: Role List
        • Role attribute name: Roles
        • Friendly Name: roles
        • SAML Attribute NameFormat: Basic
        • Single Role Attrubute: On
        • Click Save
        • 在左侧，单击Users
        • 单击右上角的Add users
        • 设置以下值:
          • 用户名: user
          • 电子邮件: user@domain.com
          • 点击Save
          • On the left side, click on Users
          • On the top-right, click Add users
          • Set the following values:
            • Username: user
            • Email: user@domain.com
            • Click Save
            • 新密码:用户
            • 密码确认:用户
            • 临时:关闭
            • 点击Reset Password
            • New Password: user
            • Password Confirmation: user
            • Temporary: Off
            • Click Reset Password
            • 点击Change Password

            以隐身/私人模式打开新的浏览器窗口.例如.对于google-chrome，请按Ctrl-Shift-N，在Firefox中，请按Ctrl-Shift-P. 保留另一个浏览器窗口，并保持打开的nextcloud设置页面.否则，您可能会被锁定.

            Open a new browser window in incognito/private mode. Eg. for google-chrome press Ctrl-Shift-N, in Firefox press Ctrl-Shift-P. Keep the other browser window with the nextcloud setup page open. Else you might lock yourself out.

            使用隐身/专用浏览器窗口访问 https://nc.domain.com .将显示给您密钥库用户名/密码页面.输入user作为名称和密码.应该会出现nextcloud欢迎屏幕.

            Access https://nc.domain.com with the incognito/private browser window. You are presented with the keycloak username/password page. Enter user as name and password. You should be greeted to with the nextcloud welcome screen.

            • 没有出色的 http://int128，就不可能有本指南.hatenablog.com/entry/2018/01/16/194048 博客条目.我已经阅读过 RMM .他的 Wiki条目使我能够为nextcloud创建正确的密钥并启用消息-签名，从而改善了答案.
            • This guide wouldn't have been possible without the wonderful http://int128.hatenablog.com/entry/2018/01/16/194048 blog entry. I've read it with google-translator in english.
            • Thanks goes also to RMM. His wiki entry allowed me to create correct keys for nextcloud and enable message-signing, thus improving this answer.

            这篇关于具有SAML，Keycloak和Nextcloud的SSO的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！