EFS User Guide
Notes:
- This guide contains examples that include EFS Keycloak URL from the Development environment.
- Replace the URLs where needed, depending upon which environment you are working on.
- Latest info: Connection Details page
- EFPF Development environment:
- https://efpf-security-portal.salzburgresearch.at/auth/
- Master realm is used
- EFPF Testing environment:
- https://ds-test.smecluster.com/auth/
- Master realm is used
- EFPF Production environment:
- https://efpf.smecluster.com/auth/
- EFPF realm is used
Scope
- This guide contains instructions for setting up SSO for platforms (that contain one/more tools/services) that have their own, private Identity Providers (IdPs).
- Once SSO is enabled for the platform, SSO is automatically enabled for all the tools/services in that platform.
- If you want to enable SSO for your tools/services that do not already have an associated IdP and hence, you want to use the EFPF IdP (EFS Keycloak) as the primary IdP, then refer to the SSO instructions in the User Guide 101 for Tool/Service/Data Providers instead.
Enabling SSO for Platforms
In this guide, you will be able to learn how to setup SSO with EFS Keycloak in 2 different ways.
1. EFS SSO Setup with a Keycloak Identity Provider (IDP) in the base platform.
2. EFS SSO Setup with a non-Keycloak IDP in the base platform.
EFS SSO Setup With Keycloak as the Base Platform IDP
This tutorial explains how to setup Single Sign On (SSO) in EFS by configuring EFS Keycloak as a trusted Identity Provider (IDP) in a base platform Keycloak IDP.
Follow the below steps to configure EFS Keycloak as a trusted IDP in your base platform Keycloak to enable SSO with EFS users.
Set up a trusted client in EFS
You need to create a client in EFS for your base platform (eg: NIMBLE client/ Composition client etc)
Step 1
Create a Client in Keycloak
- For Dev/Test environment: in Master Realm
- For Prod environment: in EFPF Realm
Figure 1 : Create a new Client in EFS
Step 2
Create a client for the relevant base platform and select the OpenID Connect as the client protocol.
Figure 2 : Create a new OpenID-Connect Client in EFS
Step 3
Provide a valid redirect URL to redirect the user, after a successful login. This should be the base platform Keycloak URL.
Figure 3 : Configure redirect URL
Step 4
Note down the client id (eg: nimble-federation-client) and the secret to be provided to the base platforms as a trusted identity provider.
Step 5 (Optional)
Based on the security requirements the admin can assign roles and scopes to the client.
Figure 4 : Configure Client Roles
Setup EFPF as the trusted IDP in a Base Platform
Step 1
- Login to the base platforms Keycloak and create a Trusted Identity Provider.
- Select the Keycloak OpenID Connect as the trusted identity provider.
Figure 5 : Created as trusted IDP
Step 2
- Provide Display name alias and enable the client.
- Configure EFPF IDP related information in this tab.
- Copy the client ID and secret to the relevant fields (EFPF Trusted Client).
Figure 6 : Configure EFS as the trusted IDP
After configuring the trusted identity provider, the base platform Keycloak login page will show the Login with the EFPF option in the base platform.
Figure 7 : Login with EFPF to the base platform
SSO with External Login Pages
If you are using an external login page instead of the keycloak login page then you need to pass an IDP hint to the base platforms Keycloak as below.
https://{}/realms/{}/protocol/openid-connect/auth?...&kc_idp_hint=EFS
Configure Trust Store for Keycloak
The EFPF and base platform’s public certificate should be shared between both Keycloak servers.
The following documentation will provide the steps on how to configure them: https://www.keycloak.org/docs/7.0/server_installation/#_truststore
EFS SSO Setup With Non Keycloak IDPs
This tutorial explains how to enable SSO with EFS Keycloak and a non-keycloak based identity provider in a base platform.
Set up a trusted client in EFS
Create a trusted client in EFPF Keycloak and configure the redirect URL to the base platform IDP.
Figure 1 : Create a new Client in EFS
Obtain an active login session from EFS
Login to EFS to have an active login session with your user. This will be required for the subsequent steps.
Login to the EFS portal here : https://efpf-security-portal.salzburgresearch.at/auth/
Obtain an authorization code for the user
Redirect the user to the following URL, and replace the values accordingly (highlighted area).
https://efpf-security-portal.salzburgresearch.at/auth/realms/master/protocol/openid-connect/auth?client_id=your_client_id &redirect_uri= your_redirect_uri &response_type=code&scope=openid&nonce=ccd9
If a user is already logged in to EFPF then it will redirect the call to the given redirect_uri with an authorization code. Extract the code value from the URL.
Obtain an ID Token with the Authorization Code Grant Type
Use the code value from above step and make a REST call to obtain an id token.
curl -L -X POST \
--url
'https://efpf-security-portal.salzburgresearch.at/auth/realms/master/protocol/openid-connect/
token' \
-H 'content-type: application/x-www-form-urlencoded' \--data-urlencode grant_type=authorization_code \
--data-urlencode 'client_id=your_client_id \
--data-urlencode client_secret=your_client_secret \
--data-urlencode code=
your_authorization_code \
--data-urlencode 'redirect_uri= your_redirect_url '
Decode the ID Token to obtain the user details
Decode the ID/Access token to get the details regarding the logged-in user. The token provided is a JSON web token and it can be decoded by any programming language.
eg: https://stackoverflow.com/questions/38340078/how-to-decode-jwt-token
Create the User in the base platform
Create the user in the base platform and provide automatic login (SSO) to the user.