1) Install and configure Keycloak
Download and install the latest Keycloak distribution (tested with 1.8.0). Start keycloak in standalone mode by running 'sh bin/standalone.sh'.
1.1) Create users in Keycloak
First we need to create an admin user by navigating to the following URL, and entering a password:
- http://localhost:8080/auth/
1.2) Create a new client application in Keycloak
Now we will create a new client application for the Fediz IdP in Keycloak. Select "Clients" in the left-hand menu, and click on "Create". Specify the following values:
- Client ID: realma-client
- Client protocol: openid-connect
- Root URL: https://localhost:8443/fediz-idp/federation
- Select "Access Type" to be "confidential".
1.3) Export the Keycloak signing certificate
Finally, we need to export the Keycloak signing certificate so that the Fediz IdP can validate the signed JWT Token from Keycloak. Select "Realm Settings" (for "realmb") and click on the "Keys" tab. Copy and save the value specified in the "Certificate" textfield.
1.4) Testing the Keycloak configuration
It's possible to see the Keycloak OpenId Connect configuration by navigating to:
- http://localhost:8080/auth/realms/realmb/.well-known/openid-configuration
- localhost:8080/auth/realms/realmb/protocol/openid-connect/auth?response_type=code&client_id=realma-client&redirect_uri=https://localhost:8443/fediz-idp/federation&scope=openid
- curl -u realma-client:<secret> --data "client_id=realma-client&grant_type=authorization_code&code=<code>&redirect_uri=https://localhost:8443/fediz-idp/federation" http://localhost:8080/auth/realms/realmb/protocol/openid-connect/token
2) Install and configure the Apache CXF Fediz IdP and sample Webapp
Follow a previous tutorial to deploy the latest Fediz IdP + STS to Apache Tomcat, as well as the "simpleWebapp". Note that you will need to use Fediz 1.3.0 here (or the latest SNAPSHOT version) for OpenId Connect support. Test that the "simpleWebapp" is working correctly by navigating to the following URL (selecting "realm A" at the IdP, and authenticating as "alice/ecila"):
- https://localhost:8443/fedizhelloworld/secure/fedservlet
Now we will configure the Fediz IdP to authenticate the user in "realm B" by using the OpenId Connect protocol. Edit 'webapps/fediz-idp/WEB-INF/classes/entities-realma.xml'. In the 'idp-realmA' bean:
- Change the port in "idpUrl" to "8443".
- Change the "url" value to "http://localhost:8080/auth/realms/realmb/protocol/openid-connect/auth".
- Change the "protocol" value to "openid-connect-1.0".
- Change the "certificate" value to "keycloak.cert".
- Add the following parameters Map, filling in a value for the client secret extracted above: <property name="parameters">
<util:map>
<entry key="client.id" value="realma-client"/>
<entry key="client.secret" value="<secret>"/>
<entry key="token.endpoint" value="http://localhost:8080/auth/realms/realmb/protocol/openid-connect/token"/>
</util:map>
</property>
Copy 'webapps/fediz-idp/WEB-INF/classes/realmb.cert' to a new file called 'webapps/fediz-idp/WEB-INF/classes/keycloak.cert'. Edit this file + delete the content between the "-----BEGIN CERTIFICATE----- / -----END CERTIFICATE-----" tags, pasting instead the Keycloak signing certificate as retrieved in step "1.3" above.
Restart Fediz to pick up the changes (you may need to remove the persistent storage first).
3) Testing the service
To test the service navigate to:
- https://localhost:8443/fedizhelloworld/secure/fedservlet