EFS User Guide

Notes:

Scope

  • This guide contains instructions for setting up SSO for platforms (that contain one/more tools/services) that have their own, private Identity Providers (IdPs).
  • Once SSO is enabled for the platform, SSO is automatically enabled for all the tools/services in that platform.
  • If you want to enable SSO for your tools/services that do not already have an associated IdP and hence, you want to use the EFPF IdP (EFS Keycloak) as the primary IdP, then refer to the SSO instructions in the User Guide 101 for Tool/Service/Data Providers instead.

Enabling SSO for Platforms

In this guide, you will be able to learn how to setup SSO with EFS Keycloak in 2 different ways.

1. EFS SSO Setup with a Keycloak Identity Provider (IDP) in the base platform.

2. EFS SSO Setup with a non-Keycloak IDP in the base platform.

EFS SSO Setup With Keycloak as the Base Platform IDP

This tutorial explains how to setup Single Sign On (SSO) in EFS by configuring EFS Keycloak as a trusted Identity Provider (IDP) in a base platform Keycloak IDP.

Follow the below steps to configure EFS Keycloak as a trusted IDP in your base platform Keycloak to enable SSO with EFS users.

Set up a trusted client in EFS

You need to create a client in EFS for your base platform (eg: NIMBLE client/ Composition client etc)

Step 1

Create a Client in Keycloak

  • For Dev/Test environment: in Master Realm
  • For Prod environment: in EFPF Realm

img Figure 1 : Create a new Client in EFS

Step 2

Create a client for the relevant base platform and select the OpenID Connect as the client protocol.

img Figure 2 : Create a new OpenID-Connect Client in EFS

Step 3

Provide a valid redirect URL to redirect the user, after a successful login. This should be the base platform Keycloak URL.

img Figure 3 : Configure redirect URL

Step 4

Note down the client id (eg: nimble-federation-client) and the secret to be provided to the base platforms as a trusted identity provider.

Step 5 (Optional)

Based on the security requirements the admin can assign roles and scopes to the client.

img Figure 4 : Configure Client Roles

Setup EFPF as the trusted IDP in a Base Platform

Step 1

  • Login to the base platforms Keycloak and create a Trusted Identity Provider.
  • Select the Keycloak OpenID Connect as the trusted identity provider.

img Figure 5 : Created as trusted IDP

Step 2

  • Provide Display name alias and enable the client.
  • Configure EFPF IDP related information in this tab.
  • Copy the client ID and secret to the relevant fields (EFPF Trusted Client).

img Figure 6 : Configure EFS as the trusted IDP

After configuring the trusted identity provider, the base platform Keycloak login page will show the Login with the EFPF option in the base platform.

img Figure 7 : Login with EFPF to the base platform

SSO with External Login Pages

If you are using an external login page instead of the keycloak login page then you need to pass an IDP hint to the base platforms Keycloak as below.

https://{}/realms/{}/protocol/openid-connect/auth?...&kc_idp_hint=EFS

Configure Trust Store for Keycloak

The EFPF and base platform’s public certificate should be shared between both Keycloak servers.

The following documentation will provide the steps on how to configure them: https://www.keycloak.org/docs/7.0/server_installation/#_truststore

EFS SSO Setup With Non Keycloak IDPs

This tutorial explains how to enable SSO with EFS Keycloak and a non-keycloak based identity provider in a base platform.

Set up a trusted client in EFS

Create a trusted client in EFPF Keycloak and configure the redirect URL to the base platform IDP.

img Figure 1 : Create a new Client in EFS

Obtain an active login session from EFS

Login to EFS to have an active login session with your user. This will be required for the subsequent steps.

Login to the EFS portal here : https://efpf-security-portal.salzburgresearch.at/auth/

Obtain an authorization code for the user

Redirect the user to the following URL, and replace the values accordingly (highlighted area).

https://efpf-security-portal.salzburgresearch.at/auth/realms/master/protocol/openid-connect/auth?client_id=your_client_id &redirect_uri=​ your_redirect_uri​ &response_type=code&scope=openid&nonce=​ccd9

If a user is already logged in to EFPF then it will redirect the call to the given redirect_uri with an authorization code. Extract the code value from the URL.

Obtain an ID Token with the Authorization Code Grant Type

Use the code value from above step and make a REST call to obtain an id token.

curl -L -X POST \
--url
'https://efpf-security-portal.salzburgresearch.at/auth/realms/master/protocol/openid-connect/
token' \
-H 'content-type: application/x-www-form-urlencoded' \--data-urlencode grant_type=authorization_code \
--data-urlencode 'client_id=​your_client_id​ \
--data-urlencode client_secret=your_client_secret \
--data-urlencode code=​ 
your_authorization_code​ \
--data-urlencode 'redirect_uri=​ your_redirect_url​ '

Decode the ID Token to obtain the user details

Decode the ID/Access token to get the details regarding the logged-in user. The token provided is a JSON web token and it can be decoded by any programming language.

eg: https://stackoverflow.com/questions/38340078/how-to-decode-jwt-token

Create the User in the base platform

Create the user in the base platform and provide automatic login (SSO) to the user.

EFS Documentation

See also

Previous