diff --git a/.gitignore b/.gitignore
index 8a1ae8023b..79d65e0654 100644
--- a/.gitignore
+++ b/.gitignore
@@ -42,6 +42,7 @@ tools/docker-compose/_build
tools/docker-compose/_sources
tools/docker-compose/overrides/
tools/docker-compose-minikube/_sources
+tools/docker-compose/keycloak.awx.realm.json
# Tower setup playbook testing
setup/test/roles/postgresql
diff --git a/Makefile b/Makefile
index ce82634869..9d6663a57c 100644
--- a/Makefile
+++ b/Makefile
@@ -13,6 +13,8 @@ COLLECTION_VERSION := $(shell $(PYTHON) setup.py --version | cut -d . -f 1-3)
COMPOSE_TAG ?= $(GIT_BRANCH)
COMPOSE_HOST ?= $(shell hostname)
MAIN_NODE_TYPE ?= hybrid
+# If set to true docker-compose will also start a keycloak instance
+KEYCLOAK ?= false
VENV_BASE ?= /var/lib/awx/venv
@@ -468,7 +470,8 @@ docker-compose-sources: .git/hooks/pre-commit
-e receptor_image=$(RECEPTOR_IMAGE) \
-e control_plane_node_count=$(CONTROL_PLANE_NODE_COUNT) \
-e execution_node_count=$(EXECUTION_NODE_COUNT) \
- -e minikube_container_group=$(MINIKUBE_CONTAINER_GROUP)
+ -e minikube_container_group=$(MINIKUBE_CONTAINER_GROUP) \
+ -e enable_keycloak=$(KEYCLOAK)
docker-compose: awx/projects docker-compose-sources
diff --git a/awx/settings/defaults.py b/awx/settings/defaults.py
index 5fbc0dfd32..8725b7478f 100644
--- a/awx/settings/defaults.py
+++ b/awx/settings/defaults.py
@@ -473,6 +473,7 @@ SOCIAL_AUTH_SAML_PIPELINE = _SOCIAL_AUTH_PIPELINE_BASE + (
'awx.sso.pipeline.update_user_teams_by_saml_attr',
'awx.sso.pipeline.update_user_orgs',
'awx.sso.pipeline.update_user_teams',
+ 'awx.sso.pipeline.update_user_flags',
)
SAML_AUTO_CREATE_OBJECTS = True
@@ -535,6 +536,7 @@ SOCIAL_AUTH_SAML_ENABLED_IDPS = {}
SOCIAL_AUTH_SAML_ORGANIZATION_ATTR = {}
SOCIAL_AUTH_SAML_TEAM_ATTR = {}
+SOCIAL_AUTH_SAML_USER_FLAGS_BY_ATTR = {}
# Any ANSIBLE_* settings will be passed to the task runner subprocess
# environment
diff --git a/awx/sso/backends.py b/awx/sso/backends.py
index 4f039b1783..727cacab20 100644
--- a/awx/sso/backends.py
+++ b/awx/sso/backends.py
@@ -292,9 +292,12 @@ class SAMLAuth(BaseSAMLAuth):
user = super(SAMLAuth, self).authenticate(request, *args, **kwargs)
# Comes from https://github.com/omab/python-social-auth/blob/v0.2.21/social/backends/base.py#L91
if getattr(user, 'is_new', False):
- _decorate_enterprise_user(user, 'saml')
+ enterprise_auth = _decorate_enterprise_user(user, 'saml')
+ logger.debug("Created enterprise user %s from %s backend." % (user.username, enterprise_auth.get_provider_display()))
elif user and not user.is_in_enterprise_category('saml'):
return None
+ if user:
+ logger.debug("Enterprise user %s already created in Tower." % user.username)
return user
def get_user(self, user_id):
diff --git a/awx/sso/conf.py b/awx/sso/conf.py
index a5c57dc4d1..2faf342934 100644
--- a/awx/sso/conf.py
+++ b/awx/sso/conf.py
@@ -32,6 +32,7 @@ from awx.sso.fields import (
SAMLOrgInfoField,
SAMLSecurityField,
SAMLTeamAttrField,
+ SAMLUserFlagsAttrField,
SocialOrganizationMapField,
SocialTeamMapField,
)
@@ -1523,6 +1524,25 @@ register(
),
)
+register(
+ 'SOCIAL_AUTH_SAML_USER_FLAGS_BY_ATTR',
+ field_class=SAMLUserFlagsAttrField,
+ allow_null=True,
+ default=None,
+ label=_('SAML User Flags Attribute Mapping'),
+ help_text=_('Used to map super users and system auditors from SAML.'),
+ category=_('SAML'),
+ category_slug='saml',
+ placeholder=[
+ ('is_superuser_attr', 'saml_attr'),
+ ('is_superuser_value', 'value'),
+ ('is_superuser_role', 'saml_role'),
+ ('is_system_auditor_attr', 'saml_attr'),
+ ('is_system_auditor_value', 'value'),
+ ('is_system_auditor_role', 'saml_role'),
+ ],
+)
+
def tacacs_validate(serializer, attrs):
if not serializer.instance or not hasattr(serializer.instance, 'TACACSPLUS_HOST') or not hasattr(serializer.instance, 'TACACSPLUS_SECRET'):
diff --git a/awx/sso/fields.py b/awx/sso/fields.py
index deef330842..cd3e2195de 100644
--- a/awx/sso/fields.py
+++ b/awx/sso/fields.py
@@ -735,3 +735,15 @@ class SAMLTeamAttrField(HybridDictField):
saml_attr = fields.CharField(required=False, allow_null=True)
child = _Forbidden()
+
+
+class SAMLUserFlagsAttrField(HybridDictField):
+
+ is_superuser_attr = fields.CharField(required=False, allow_null=True)
+ is_superuser_value = fields.CharField(required=False, allow_null=True)
+ is_superuser_role = fields.CharField(required=False, allow_null=True)
+ is_system_auditor_attr = fields.CharField(required=False, allow_null=True)
+ is_system_auditor_value = fields.CharField(required=False, allow_null=True)
+ is_system_auditor_role = fields.CharField(required=False, allow_null=True)
+
+ child = _Forbidden()
diff --git a/awx/sso/pipeline.py b/awx/sso/pipeline.py
index 5e95aa3fbe..6b07fed978 100644
--- a/awx/sso/pipeline.py
+++ b/awx/sso/pipeline.py
@@ -229,3 +229,69 @@ def update_user_teams_by_saml_attr(backend, details, user=None, *args, **kwargs)
if team_map.get('remove', True):
[t.member_role.members.remove(user) for t in Team.objects.filter(Q(member_role__members=user) & ~Q(id__in=team_ids))]
+
+
+def _check_flag(user, flag, attributes, user_flags_settings):
+ new_flag = False
+ is_role_key = "is_%s_role" % (flag)
+ is_attr_key = "is_%s_attr" % (flag)
+ is_value_key = "is_%s_value" % (flag)
+
+ # Check to see if we are respecting a role and, if so, does our user have that role?
+ role_setting = user_flags_settings.get(is_role_key, None)
+ if role_setting:
+ # We do a 2 layer check here so that we don't spit out the else message if there is no role defined
+ if role_setting in attributes.get('Role', []):
+ logger.debug("User %s has %s role %s" % (user.username, flag, role_setting))
+ new_flag = True
+ else:
+ logger.debug("User %s is missing the %s role %s" % (user.username, flag, role_setting))
+
+ # Next, check to see if we are respecting an attribute; this will take priority over the role if its defined
+ attr_setting = user_flags_settings.get(is_attr_key, None)
+ if attr_setting and attributes.get(attr_setting, None):
+ # Do we have a required value for the attribute
+ if user_flags_settings.get(is_value_key, None):
+ # If so, check and see if the value of the attr matches the required value
+ attribute_value = attributes.get(attr_setting, None)
+ if isinstance(attribute_value, (list, tuple)):
+ attribute_value = attribute_value[0]
+ if attribute_value == user_flags_settings.get(is_value_key):
+ logger.debug("Giving %s %s from attribute %s with matching value" % (user.username, flag, attr_setting))
+ new_flag = True
+ # if they don't match make sure that new_flag is false
+ else:
+ logger.debug(
+ "Refusing %s for %s because attr %s (%s) did not match value '%s'"
+ % (flag, user.username, attr_setting, attribute_value, user_flags_settings.get(is_value_key))
+ )
+ new_flag = False
+ # If there was no required value then we can just allow them in because of the attribute
+ else:
+ logger.debug("Giving %s %s from attribute %s" % (user.username, flag, attr_setting))
+ new_flag = True
+
+ # If the user was flagged and we are going to make them not flagged make sure there is a message
+ old_value = getattr(user, "is_%s" % (flag))
+ if old_value and not new_flag:
+ logger.debug("Revoking %s from %s" % (flag, user.username))
+
+ return new_flag, old_value != new_flag
+
+
+def update_user_flags(backend, details, user=None, *args, **kwargs):
+ if not user:
+ return
+
+ from django.conf import settings
+
+ user_flags_settings = settings.SOCIAL_AUTH_SAML_USER_FLAGS_BY_ATTR
+
+ attributes = kwargs.get('response', {}).get('attributes', {})
+ logger.debug("User attributes for %s: %s" % (user.username, attributes))
+
+ user.is_superuser, superuser_changed = _check_flag(user, 'superuser', attributes, user_flags_settings)
+ user.is_system_auditor, auditor_changed = _check_flag(user, 'system_auditor', attributes, user_flags_settings)
+
+ if superuser_changed or auditor_changed:
+ user.save()
diff --git a/awx/sso/tests/functional/test_pipeline.py b/awx/sso/tests/functional/test_pipeline.py
index 5a4307a0fa..953336d389 100644
--- a/awx/sso/tests/functional/test_pipeline.py
+++ b/awx/sso/tests/functional/test_pipeline.py
@@ -4,7 +4,7 @@ from unittest import mock
from django.utils.timezone import now
-from awx.sso.pipeline import update_user_orgs, update_user_teams, update_user_orgs_by_saml_attr, update_user_teams_by_saml_attr
+from awx.sso.pipeline import update_user_orgs, update_user_teams, update_user_orgs_by_saml_attr, update_user_teams_by_saml_attr, _check_flag
from awx.main.models import User, Team, Organization, Credential, CredentialType
@@ -357,3 +357,73 @@ class TestSAMLAttr:
for o in Organization.objects.all():
assert o.galaxy_credentials.count() == 1
assert o.galaxy_credentials.first().name == 'Ansible Galaxy'
+
+
+@pytest.mark.django_db
+class TestSAMLUserFlags:
+ @pytest.mark.parametrize(
+ "user_flags_settings, expected",
+ [
+ # In this case we will pass no user flags so new_flag should be false and changed will def be false
+ (
+ {},
+ (False, False),
+ ),
+ # In this case we will give the user a group to make them an admin
+ (
+ {'is_superuser_role': 'test-role-1'},
+ (True, True),
+ ),
+ # In this case we will give the user a flag that will make then an admin
+ (
+ {'is_superuser_attr': 'is_superuser'},
+ (True, True),
+ ),
+ # In this case we will give the user a flag but the wrong value
+ (
+ {'is_superuser_attr': 'is_superuser', 'is_superuser_value': 'junk'},
+ (False, False),
+ ),
+ # In this case we will give the user a flag and the right value
+ (
+ {'is_superuser_attr': 'is_superuser', 'is_superuser_value': 'true'},
+ (True, True),
+ ),
+ # In this case we will give the user a proper role and an is_superuser_attr role that they dont have, this should make them an admin
+ (
+ {'is_superuser_role': 'test-role-1', 'is_superuser_attr': 'gibberish', 'is_superuser_value': 'true'},
+ (True, True),
+ ),
+ # In this case we will give the user a proper role and an is_superuser_attr role that they have, this should make them an admin
+ (
+ {'is_superuser_role': 'test-role-1', 'is_superuser_attr': 'test-role-1'},
+ (True, True),
+ ),
+ # In this case we will give the user a proper role and an is_superuser_attr role that they have but a bad value, this should make them an admin
+ (
+ {'is_superuser_role': 'test-role-1', 'is_superuser_attr': 'is_superuser', 'is_superuser_value': 'junk'},
+ (False, False),
+ ),
+ # In this case we will give the user everything
+ (
+ {'is_superuser_role': 'test-role-1', 'is_superuser_attr': 'is_superuser', 'is_superuser_value': 'true'},
+ (True, True),
+ ),
+ ],
+ )
+ def test__check_flag(self, user_flags_settings, expected):
+ user = User()
+ user.username = 'John'
+ user.is_superuser = False
+
+ attributes = {
+ 'email': ['noone@nowhere.com'],
+ 'last_name': ['Westcott'],
+ 'is_superuser': ['true'],
+ 'username': ['test_id'],
+ 'first_name': ['John'],
+ 'Role': ['test-role-1'],
+ 'name_id': 'test_id',
+ }
+
+ assert expected == _check_flag(user, 'superuser', attributes, user_flags_settings)
diff --git a/awx/sso/tests/unit/test_fields.py b/awx/sso/tests/unit/test_fields.py
index 8109f9f237..48dd31c0df 100644
--- a/awx/sso/tests/unit/test_fields.py
+++ b/awx/sso/tests/unit/test_fields.py
@@ -3,7 +3,7 @@ from unittest import mock
from rest_framework.exceptions import ValidationError
-from awx.sso.fields import SAMLOrgAttrField, SAMLTeamAttrField, LDAPGroupTypeParamsField, LDAPServerURIField
+from awx.sso.fields import SAMLOrgAttrField, SAMLTeamAttrField, SAMLUserFlagsAttrField, LDAPGroupTypeParamsField, LDAPServerURIField
class TestSAMLOrgAttrField:
@@ -115,6 +115,66 @@ class TestSAMLTeamAttrField:
assert e.value.detail == expected
+class TestSAMLUserFlagsAttrField:
+ @pytest.mark.parametrize(
+ "data",
+ [
+ {},
+ {'is_superuser_attr': 'something'},
+ {'is_superuser_value': 'value'},
+ {'is_superuser_role': 'my_peeps'},
+ {'is_system_auditor_attr': 'something_else'},
+ {'is_system_auditor_value': 'value2'},
+ {'is_system_auditor_role': 'other_peeps'},
+ ],
+ )
+ def test_internal_value_valid(self, data):
+ field = SAMLUserFlagsAttrField()
+ res = field.to_internal_value(data)
+ assert res == data
+
+ @pytest.mark.parametrize(
+ "data, expected",
+ [
+ (
+ {
+ 'junk': 'something',
+ 'is_superuser_value': 'value',
+ 'is_superuser_role': 'my_peeps',
+ 'is_system_auditor_attr': 'else',
+ 'is_system_auditor_value': 'value2',
+ 'is_system_auditor_role': 'other_peeps',
+ },
+ {'junk': ['Invalid field.']},
+ ),
+ (
+ {
+ 'junk': 'something',
+ },
+ {
+ 'junk': ['Invalid field.'],
+ },
+ ),
+ (
+ {
+ 'junk': 'something',
+ 'junk2': 'else',
+ },
+ {
+ 'junk': ['Invalid field.'],
+ 'junk2': ['Invalid field.'],
+ },
+ ),
+ ],
+ )
+ def test_internal_value_invalid(self, data, expected):
+ field = SAMLUserFlagsAttrField()
+ with pytest.raises(ValidationError) as e:
+ field.to_internal_value(data)
+ print(e.value.detail)
+ assert e.value.detail == expected
+
+
class TestLDAPGroupTypeParamsField:
@pytest.mark.parametrize(
"group_type, data, expected",
diff --git a/awx/ui/src/screens/Setting/SAML/SAML.test.js b/awx/ui/src/screens/Setting/SAML/SAML.test.js
index 6e49111f81..f3e9653db1 100644
--- a/awx/ui/src/screens/Setting/SAML/SAML.test.js
+++ b/awx/ui/src/screens/Setting/SAML/SAML.test.js
@@ -31,6 +31,7 @@ describe('', () => {
SOCIAL_AUTH_SAML_TEAM_MAP: {},
SOCIAL_AUTH_SAML_ORGANIZATION_ATTR: {},
SOCIAL_AUTH_SAML_TEAM_ATTR: {},
+ SOCIAL_AUTH_SAML_USER_FLAGS_BY_ATTR: {},
SAML_AUTO_CREATE_OBJECTS: false,
},
});
diff --git a/awx/ui/src/screens/Setting/SAML/SAMLDetail/SAMLDetail.test.js b/awx/ui/src/screens/Setting/SAML/SAMLDetail/SAMLDetail.test.js
index ecec2207d8..ee478baaad 100644
--- a/awx/ui/src/screens/Setting/SAML/SAMLDetail/SAMLDetail.test.js
+++ b/awx/ui/src/screens/Setting/SAML/SAMLDetail/SAMLDetail.test.js
@@ -37,6 +37,7 @@ describe('', () => {
SOCIAL_AUTH_SAML_TEAM_MAP: {},
SOCIAL_AUTH_SAML_ORGANIZATION_ATTR: {},
SOCIAL_AUTH_SAML_TEAM_ATTR: {},
+ SOCIAL_AUTH_SAML_USER_FLAGS_BY_ATTR: {},
SAML_AUTO_CREATE_OBJECTS: false,
},
});
diff --git a/awx/ui/src/screens/Setting/SAML/SAMLEdit/SAMLEdit.js b/awx/ui/src/screens/Setting/SAML/SAMLEdit/SAMLEdit.js
index 17202503a2..91372ccf5f 100644
--- a/awx/ui/src/screens/Setting/SAML/SAMLEdit/SAMLEdit.js
+++ b/awx/ui/src/screens/Setting/SAML/SAMLEdit/SAMLEdit.js
@@ -89,6 +89,9 @@ function SAMLEdit() {
),
SOCIAL_AUTH_SAML_TEAM_MAP: formatJson(form.SOCIAL_AUTH_SAML_TEAM_MAP),
SOCIAL_AUTH_SAML_TEAM_ATTR: formatJson(form.SOCIAL_AUTH_SAML_TEAM_ATTR),
+ SOCIAL_AUTH_SAML_USER_FLAGS_BY_ATTR: formatJson(
+ form.SOCIAL_AUTH_SAML_USER_FLAGS_BY_ATTR
+ ),
SOCIAL_AUTH_SAML_SECURITY_CONFIG: formatJson(
form.SOCIAL_AUTH_SAML_SECURITY_CONFIG
),
@@ -181,6 +184,10 @@ function SAMLEdit() {
name="SOCIAL_AUTH_SAML_TEAM_ATTR"
config={saml.SOCIAL_AUTH_SAML_TEAM_ATTR}
/>
+
', () => {
SOCIAL_AUTH_SAML_TEAM_MAP: {},
SOCIAL_AUTH_SAML_ORGANIZATION_ATTR: {},
SOCIAL_AUTH_SAML_TEAM_ATTR: {},
+ SOCIAL_AUTH_SAML_USER_FLAGS_BY_ATTR: {},
SOCIAL_AUTH_SAML_SECURITY_CONFIG: {
requestedAuthnContext: false,
},
@@ -180,6 +181,7 @@ describe('', () => {
SOCIAL_AUTH_SAML_SP_PUBLIC_CERT: 'mock_cert',
SOCIAL_AUTH_SAML_SUPPORT_CONTACT: {},
SOCIAL_AUTH_SAML_TEAM_ATTR: {},
+ SOCIAL_AUTH_SAML_USER_FLAGS_BY_ATTR: {},
SOCIAL_AUTH_SAML_TEAM_MAP: {},
SOCIAL_AUTH_SAML_TECHNICAL_CONTACT: {},
SOCIAL_AUTH_SAML_SECURITY_CONFIG: {
diff --git a/awx/ui/src/screens/Setting/shared/data.allSettingOptions.json b/awx/ui/src/screens/Setting/shared/data.allSettingOptions.json
index fe5b71367a..9a50f8c73a 100644
--- a/awx/ui/src/screens/Setting/shared/data.allSettingOptions.json
+++ b/awx/ui/src/screens/Setting/shared/data.allSettingOptions.json
@@ -3706,6 +3706,28 @@
"required": true,
"read_only": false
}
+ },
+ "SOCIAL_AUTH_SAML_USER_FLAGS_BY_ATTR": {
+ "type": "nested object",
+ "required": false,
+ "label": "SAML User Flags Attribute Mapping",
+ "help_text": "Used to map super users and system auditors from SAML.",
+ "category": "SAML",
+ "category_slug": "saml",
+ "placeholder": {
+ "is_superuser_attr": "saml_attr",
+ "is_superuser_value": "value",
+ "is_superuser_role": "saml_role",
+ "is_system_auditor_attr": "saml_attr",
+ "is_system_auditor_value": "value",
+ "is_system_auditor_role": "saml_role"
+ },
+ "default": {},
+ "child": {
+ "type": "field",
+ "required": true,
+ "read_only": false
+ }
}
},
"GET": {
@@ -6305,6 +6327,17 @@
"type": "field"
}
},
+ "SOCIAL_AUTH_SAML_USER_FLAGS_BY_ATTR": {
+ "type": "nested object",
+ "label": "SAML User Flags Attribute Mapping",
+ "help_text": "Used to map super users and system auditors from SAML.",
+ "category": "SAML",
+ "category_slug": "saml",
+ "defined_in_file": false,
+ "child": {
+ "type": "field"
+ }
+ },
"NAMED_URL_FORMATS": {
"type": "nested object",
"label": "Formats of all available named urls",
diff --git a/awx/ui/src/screens/Setting/shared/data.allSettings.json b/awx/ui/src/screens/Setting/shared/data.allSettings.json
index c33a93eccf..d6cc08cd54 100644
--- a/awx/ui/src/screens/Setting/shared/data.allSettings.json
+++ b/awx/ui/src/screens/Setting/shared/data.allSettings.json
@@ -247,6 +247,7 @@
"SOCIAL_AUTH_SAML_TEAM_MAP":null,
"SOCIAL_AUTH_SAML_ORGANIZATION_ATTR":{},
"SOCIAL_AUTH_SAML_TEAM_ATTR":{},
+ "SOCIAL_AUTH_SAML_USER_FLAGS_BY_ATTR":{},
"NAMED_URL_FORMATS":{
"organizations":"",
"teams":"++",
diff --git a/tools/docker-compose/README.md b/tools/docker-compose/README.md
index dab53141ae..c8c4656f60 100644
--- a/tools/docker-compose/README.md
+++ b/tools/docker-compose/README.md
@@ -27,7 +27,7 @@ Here are the main `make` targets:
Notable files:
-- `tools/docker-compose/inventory` file - used to configure the local AWX development deploymen
+- `tools/docker-compose/inventory` file - used to configure the local AWX development deployment
- `migrate.yml` - playbook for migrating data from Local Docker to the Development Environment
### Prerequisites
@@ -241,6 +241,9 @@ $ make docker-compose
- [Start a shell](#start-a-shell)
- [Start AWX from the container shell](#start-awx-from-the-container-shell)
- [Using Logstash](./docs/logstash.md)
+- [Start a Cluster](#start-a-cluster)
+- [Start with Minikube](#start-with-minikube)
+- [Keycloak Integration](#keycloak-integration)
### Start a Shell
@@ -311,3 +314,81 @@ If you want to clean all things once your are done, you can do:
```bash
(host)$ make docker-compose-container-group-clean
```
+
+### Keycloak Integration
+Keycloak is a SAML provider and can be used to test AWX social auth. This section describes how to build a reference Keycloak instance and plumb it with AWX for testing purposes.
+
+First, be sure that you have the awx.awx collection installed by running `make install_collection`.
+Next, make sure you have your containers running by running `make docker-compose`.
+
+Note: The following instructions assume we are using the built-in postgres database container. If you are not using the internal database you can use this guide as a reference, updating the database fields as required for your connection.
+
+We are now ready to run two one time commands to build and pre-populate the Keycloak database.
+
+The first one time command will be creating a Keycloak database in your postgres database by running:
+```bash
+docker exec tools_postgres_1 /usr/bin/psql -U awx --command "create database keycloak with encoding 'UTF8';"
+```
+
+After running this commenad the following message should appear and you should be returned to your prompt:
+```base
+CREATE DATABASE
+```
+
+The second one time command will be to start a Keycloak container to build our admin user; be sure to set pg_username and pg_password to work for you installation. Note: the command below set the username as admin with a password of admin, you can change this if you want. Also, if you are using your own container or have changed the pg_username please update the command accordingly.
+```bash
+PG_PASSWORD=`cat tools/docker-compose/_sources/secrets/pg_password.yml | cut -f 2 -d \'`
+docker run -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin --net=_sources_default \
+ -e DB_VENDOR=postgres -e DB_ADDR=postgres -e DB_DATABASE=keycloak -e DB_USER=awx -e DB_PASSWORD=${PG_PASSWORD} \
+ quay.io/keycloak/keycloak:15.0.2
+```
+
+Once you see a message like: `WFLYSRV0051: Admin console listening on http://127.0.0.1:9990` you can stop the container.
+
+Now that we have performed the one time setup anytime you want to run a Keycloak instance alongside AWX we can start docker-compose with the KEYCLOAK option to get a Keycloak instance with the command:
+```bash
+KEYCLOAK=true make docker-compose
+```
+
+Go ahead and stop your existing docker-compose run and restart with Keycloak before proceeding to the next steps.
+
+Once the containers come up a new port (8443) should be exposed and the Keycloak interface should be running on that port. Connect to this through a url like `https://localhost:8443` to confirm that Keycloak has stared. If you wanted to login and look at Keycloak itself you could select the "Administration console" link and log into the UI the username/password set in the previous `docker run` command. For more information about Keycloak and links to their documentation see their project at https://github.com/keycloak/keycloak.
+
+Now we are ready to configure and plumb Keycloak with AWX. To do this we have provided a playbook which will:
+* Create a certificate for data exchange between Keycloak and AWX.
+* Create a realm in Keycloak with a client for AWX and 3 users.
+* Backup and configure the SMAL adapter in AWX. NOTE: the private key of any existing SAML adapters can not be backed up through the API, you need a DB backup to recover this.
+
+Before we can run the playbook we need to understand that SAML works by sending redirects between AWX and Keycloak through the browser. Because of this we have to tell both AWX and Keycloak how they will construct the redirect URLs. On the Keycloak side, this is done within the realm configuration and on the AWX side its done through the SAML settings. The playbook requires a variable called `container_reference` to be set. The container_reference variable needs to be how your browser will be able to talk to the running containers. Here are some examples of how to choose a proper container_reference.
+* If you develop on a mac which runs a Fedora VM which has AWX running within that and the browser you use to access AWX runs on the mac. The the VM with the container has its own IP that is mapped to a name like `tower.home.net`. In this scenario your "container_reference" could be either the IP of the VM or the tower.home.net friendly name.
+* If you are on a Fedora work station running AWX and also using a browser on your workstation you could use localhost, your work stations IP or hostname as the container_reference.
+
+In addition to container_reference, there are some additional variables which you can override if you need/choose to do so. Here are their names and default values:
+```yaml
+ keycloak_user: admin
+ keycloak_pass: admin
+ cert_subject: "/C=US/ST=NC/L=Durham/O=awx/CN="
+```
+
+* keycloak_(user|pass) need to change if you modified the user when starting the initial container above.
+* cert_subject will be the subject line of the certificate shared between AWX and keycloak you can change this if you like or just use the defaults.
+
+To override any of the variables above you can add more `-e` arguments to the playbook run below. For example, if you simply need to change the `keycloak_pass` add the argument `-r keycloak_pass=my_secret_pass` to the next command.
+
+In addition, you may need to override the username or password to get into your AWX instance. We log into AWX in order to read and write the SAML settings. This can be done in several ways because we are using the awx.awx collection. The easiest way is to set environment variables such as `CONTROLLER_USERNAME`. See the awx.awx documentation for more information on setting environment variables. In the example provided below we are showing an example of specifying a username/password for authentication.
+
+Now that we have all of our variables covered we can run the playbook like:
+```bash
+export CONTROLLER_USERNAME=
+export CONTROLLER_PASSWORD=
+ansible-playbook tools/docker-compose/ansible/plumb_keycloak.yml -e container_reference=
+```
+
+Once the playbook is done running SAML should now be setup in your development environment. This realm has three users with the following username/passwords:
+1. awx_unpriv:unpriv123
+2. awx_admin:admin123
+3. awx_auditor:audit123
+
+The first account is a normal user. The second account has the attribute is_superuser set in Keycloak so will be a super user in AWX. The third account has the is_system_auditor attribute in Keycloak so it will be a system auditor in AWX. To log in with one of these Keycloak users go to the AWX login screen and click the small "Sign In With SAML Keycloak" button at the bottom of the login box.
+
+
diff --git a/tools/docker-compose/ansible/plumb_keycloak.yml b/tools/docker-compose/ansible/plumb_keycloak.yml
new file mode 100644
index 0000000000..d53b63bba3
--- /dev/null
+++ b/tools/docker-compose/ansible/plumb_keycloak.yml
@@ -0,0 +1,81 @@
+---
+- name: Plumb a keycloak instance
+ hosts: localhost
+ connection: local
+ gather_facts: False
+ vars:
+ private_key_file: ../_sources/keycloak.key
+ public_key_file: ../_sources/keycloak.cert
+ awx_host: "https://localhost:8043"
+ keycloak_realm_template: ../_sources/keycloak.awx.realm.json
+ keycloak_user: admin
+ keycloak_pass: admin
+ cert_subject: "/C=US/ST=NC/L=Durham/O=awx/CN="
+ tasks:
+ - name: Generate certificates for keycloak
+ command: 'openssl req -new -x509 -days 365 -nodes -out {{ public_key_file }} -keyout {{ private_key_file }} -subj "{{ cert_subject }}"'
+ args:
+ creates: "{{ public_key_file }}"
+
+ - name: Load certs, existing and new SAML settings
+ set_fact:
+ private_key: "{{ private_key_content }}"
+ public_key: "{{ public_key_content }}"
+ public_key_trimmed: "{{ public_key_content | regex_replace('-----BEGIN CERTIFICATE-----\\\\n', '') | regex_replace('\\\\n-----END CERTIFICATE-----', '') }}"
+ existing_saml: "{{ lookup('awx.awx.controller_api', 'settings/saml', host=awx_host, verify_ssl=false) }}"
+ new_saml: "{{ lookup('template', 'saml_settings.json.j2') }}"
+ vars:
+ # We add the extra \\ in here so that when jinja is templating out the files we end up with \n in the strings.
+ public_key_content: "{{ lookup('file', public_key_file) | regex_replace('\n', '\\\\n') }}"
+ private_key_content: "{{ lookup('file', private_key_file) | regex_replace('\n', '\\\\n') }}"
+
+ - name: Displauy existing SAML configuration
+ debug:
+ msg:
+ - "Here is your existing SAML configuration for reference:"
+ - "{{ existing_saml }}"
+
+ - pause:
+ prompt: "Continuing to run this will replace your existing saml settings (displayed above). They will all be captured except for your private key. Be sure that is backed up before continuing"
+
+ - name: Write out the existing content
+ copy:
+ dest: "../_sources/existing_saml_adapter_settings.json"
+ content: "{{ existing_saml }}"
+
+ - name: Configure AWX SAML adapter
+ awx.awx.settings:
+ settings: "{{ new_saml }}"
+ controller_host: "{{ awx_host }}"
+ validate_certs: False
+
+ - name: Get a keycloak token
+ uri:
+ url: "https://localhost:8443/auth/realms/master/protocol/openid-connect/token"
+ method: POST
+ body_format: form-urlencoded
+ body:
+ client_id: "admin-cli"
+ username: "{{ keycloak_user }}"
+ password: "{{ keycloak_pass }}"
+ grant_type: "password"
+ validate_certs: False
+ register: keycloak_response
+
+ - name: Template the AWX realm
+ template:
+ src: keycloak.awx.realm.json.j2
+ dest: "{{ keycloak_realm_template }}"
+
+ - name: Create the AWX realm
+ uri:
+ url: "https://localhost:8443/auth/admin/realms"
+ method: POST
+ body_format: json
+ body: "{{ lookup('file', keycloak_realm_template) }}"
+ validate_certs: False
+ headers:
+ Authorization: "Bearer {{ keycloak_response.json.access_token }}"
+ status_code: 201
+ register: realm_creation
+ changed_when: True
diff --git a/tools/docker-compose/ansible/roles/sources/defaults/main.yml b/tools/docker-compose/ansible/roles/sources/defaults/main.yml
index 4d23fd4e95..df035384c7 100644
--- a/tools/docker-compose/ansible/roles/sources/defaults/main.yml
+++ b/tools/docker-compose/ansible/roles/sources/defaults/main.yml
@@ -16,3 +16,5 @@ receptor_work_sign_reconfigure: false
work_sign_key_dir: '../_sources/receptor'
work_sign_private_keyfile: "{{ work_sign_key_dir }}/work_private_key.pem"
work_sign_public_keyfile: "{{ work_sign_key_dir }}/work_public_key.pem"
+
+enable_keycloak: false
diff --git a/tools/docker-compose/ansible/roles/sources/templates/docker-compose.yml.j2 b/tools/docker-compose/ansible/roles/sources/templates/docker-compose.yml.j2
index 3c6f71d9a5..7b233f1117 100644
--- a/tools/docker-compose/ansible/roles/sources/templates/docker-compose.yml.j2
+++ b/tools/docker-compose/ansible/roles/sources/templates/docker-compose.yml.j2
@@ -79,6 +79,23 @@ services:
{% set container_postfix = loop.index %}
- "awx_{{ container_postfix }}"
{% endfor %}
+{% endif %}
+{% if enable_keycloak|bool %}
+ keycloak:
+ image: quay.io/keycloak/keycloak:15.0.2
+ container_name: tools_keycloak_1
+ hostname: keycloak
+ user: "{{ ansible_user_uid }}"
+ ports:
+ - "8443:8443"
+ environment:
+ DB_VENDOR: postgres
+ DB_ADDR: postgres
+ DB_DATABASE: keycloak
+ DB_USER: {{ pg_username }}
+ DB_PASSWORD: {{ pg_password }}
+ depends_on:
+ - postgres
{% endif %}
# A useful container that simply passes through log messages to the console
# helpful for testing awx/tower logging
diff --git a/tools/docker-compose/ansible/templates/keycloak.awx.realm.json.j2 b/tools/docker-compose/ansible/templates/keycloak.awx.realm.json.j2
new file mode 100644
index 0000000000..df70b0e427
--- /dev/null
+++ b/tools/docker-compose/ansible/templates/keycloak.awx.realm.json.j2
@@ -0,0 +1,1770 @@
+{#
+ This template is an export from Keycloak.
+ See https://github.com/keycloak/keycloak-documentation/blob/main/server_admin/topics/export-import.adoc for instructions on how to run the export.
+ Once you have the export you want to variablize the public cert, private cert, and the endpoints.
+ The endpoints should be replaced with the variable {{ container_reference }}
+ Some of the keys have \n's in there and some references do not.
+ The ones with the \n can be variablized by {{ private_key }} and {{ public_key }}.
+ The public key in the setting `saml.signing.certificate` should be replaced with {{ public_key_trimmed }}
+
+ Additionally, when you run the export from Keycloak it will export everything in the realm, this is not needed for import.
+ Look at the fields in the JSON and remove any additional fields that comes from your export that you don't need.
+#}
+{
+ "id": "AWX Realm",
+ "realm": "awx",
+ "displayName": "AWX Realm",
+ "notBefore": 0,
+ "defaultSignatureAlgorithm": "RS256",
+ "revokeRefreshToken": false,
+ "refreshTokenMaxReuse": 0,
+ "accessTokenLifespan": 300,
+ "accessTokenLifespanForImplicitFlow": 900,
+ "ssoSessionIdleTimeout": 1800,
+ "ssoSessionMaxLifespan": 36000,
+ "ssoSessionIdleTimeoutRememberMe": 0,
+ "ssoSessionMaxLifespanRememberMe": 0,
+ "offlineSessionIdleTimeout": 2592000,
+ "offlineSessionMaxLifespanEnabled": false,
+ "offlineSessionMaxLifespan": 5184000,
+ "clientSessionIdleTimeout": 0,
+ "clientSessionMaxLifespan": 0,
+ "clientOfflineSessionIdleTimeout": 0,
+ "clientOfflineSessionMaxLifespan": 0,
+ "accessCodeLifespan": 60,
+ "accessCodeLifespanUserAction": 300,
+ "accessCodeLifespanLogin": 1800,
+ "actionTokenGeneratedByAdminLifespan": 43200,
+ "actionTokenGeneratedByUserLifespan": 300,
+ "oauth2DeviceCodeLifespan": 600,
+ "oauth2DevicePollingInterval": 5,
+ "enabled": true,
+ "sslRequired": "external",
+ "registrationAllowed": false,
+ "registrationEmailAsUsername": false,
+ "rememberMe": false,
+ "verifyEmail": false,
+ "loginWithEmailAllowed": true,
+ "duplicateEmailsAllowed": false,
+ "resetPasswordAllowed": false,
+ "editUsernameAllowed": false,
+ "bruteForceProtected": false,
+ "permanentLockout": false,
+ "maxFailureWaitSeconds": 900,
+ "minimumQuickLoginWaitSeconds": 60,
+ "waitIncrementSeconds": 60,
+ "quickLoginCheckMilliSeconds": 1000,
+ "maxDeltaTimeSeconds": 43200,
+ "failureFactor": 30,
+ "roles": {
+ "realm": [
+ {
+ "id": "b7f7a161-2a18-4b95-b58b-99448b2fc50e",
+ "name": "default-roles-awx realm",
+ "description": "${role_default-roles}",
+ "composite": true,
+ "composites": {
+ "realm": [
+ "offline_access"
+ ],
+ "client": {
+ "account": [
+ "view-profile",
+ "manage-account"
+ ]
+ }
+ },
+ "clientRole": false,
+ "containerId": "Tower Realm",
+ "attributes": {}
+ }
+ ],
+ "client": {
+ "{{ container_reference }}:8043": []
+ }
+ },
+ "groups": [],
+ "defaultRole": {
+ "id": "b7f7a161-2a18-4b95-b58b-99448b2fc50e",
+ "name": "default-roles-awx realm",
+ "description": "${role_default-roles}",
+ "composite": true,
+ "clientRole": false,
+ "containerId": "Tower Realm"
+ },
+ "requiredCredentials": [
+ "password"
+ ],
+ "otpPolicyType": "totp",
+ "otpPolicyAlgorithm": "HmacSHA1",
+ "otpPolicyInitialCounter": 0,
+ "otpPolicyDigits": 6,
+ "otpPolicyLookAheadWindow": 1,
+ "otpPolicyPeriod": 30,
+ "otpSupportedApplications": [
+ "FreeOTP",
+ "Google Authenticator"
+ ],
+ "webAuthnPolicyRpEntityName": "keycloak",
+ "webAuthnPolicySignatureAlgorithms": [
+ "ES256"
+ ],
+ "webAuthnPolicyRpId": "",
+ "webAuthnPolicyAttestationConveyancePreference": "not specified",
+ "webAuthnPolicyAuthenticatorAttachment": "not specified",
+ "webAuthnPolicyRequireResidentKey": "not specified",
+ "webAuthnPolicyUserVerificationRequirement": "not specified",
+ "webAuthnPolicyCreateTimeout": 0,
+ "webAuthnPolicyAvoidSameAuthenticatorRegister": false,
+ "webAuthnPolicyAcceptableAaguids": [],
+ "webAuthnPolicyPasswordlessRpEntityName": "keycloak",
+ "webAuthnPolicyPasswordlessSignatureAlgorithms": [
+ "ES256"
+ ],
+ "webAuthnPolicyPasswordlessRpId": "",
+ "webAuthnPolicyPasswordlessAttestationConveyancePreference": "not specified",
+ "webAuthnPolicyPasswordlessAuthenticatorAttachment": "not specified",
+ "webAuthnPolicyPasswordlessRequireResidentKey": "not specified",
+ "webAuthnPolicyPasswordlessUserVerificationRequirement": "not specified",
+ "webAuthnPolicyPasswordlessCreateTimeout": 0,
+ "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister": false,
+ "webAuthnPolicyPasswordlessAcceptableAaguids": [],
+ "clients": [
+ {
+ "id": "0cb841a2-0a31-4976-86fa-a765f09426da",
+ "clientId": "{{ container_reference }}:8043",
+ "name": "Ansible Tower Instance",
+ "rootUrl": "https://{{ container_reference }}:8043",
+ "baseUrl": "/",
+ "surrogateAuthRequired": false,
+ "enabled": true,
+ "alwaysDisplayInConsole": false,
+ "clientAuthenticatorType": "client-secret",
+ "secret": "**********",
+ "redirectUris": [
+ "https://{{ container_reference }}:8043/sso/complete/saml/"
+ ],
+ "webOrigins": [
+ "https://192.168.0.56:8043"
+ ],
+ "notBefore": 0,
+ "bearerOnly": false,
+ "consentRequired": false,
+ "standardFlowEnabled": true,
+ "implicitFlowEnabled": false,
+ "directAccessGrantsEnabled": false,
+ "serviceAccountsEnabled": false,
+ "publicClient": false,
+ "frontchannelLogout": true,
+ "protocol": "saml",
+ "attributes": {
+ "saml.force.post.binding": "true",
+ "saml.multivalued.roles": "false",
+ "oauth2.device.authorization.grant.enabled": "false",
+ "backchannel.logout.revoke.offline.tokens": "false",
+ "saml.server.signature.keyinfo.ext": "false",
+ "use.refresh.tokens": "true",
+ "saml.signing.certificate": "{{ public_key_trimmed }}",
+ "oidc.ciba.grant.enabled": "false",
+ "backchannel.logout.session.required": "false",
+ "client_credentials.use_refresh_token": "false",
+ "saml.signature.algorithm": "RSA_SHA256",
+ "require.pushed.authorization.requests": "false",
+ "saml.client.signature": "false",
+ "id.token.as.detached.signature": "false",
+ "saml.assertion.signature": "true",
+ "saml.encrypt": "false",
+ "saml_assertion_consumer_url_post": "https://{{ container_reference }}:8043/sso/complete/saml/",
+ "saml.server.signature": "true",
+ "saml_idp_initiated_sso_url_name": "{{ container_reference }}",
+ "exclude.session.state.from.auth.response": "false",
+ "saml.artifact.binding.identifier": "agnl7Dg3+QU8/5lb62pWlOcQWQw=",
+ "saml.artifact.binding": "false",
+ "saml_force_name_id_format": "false",
+ "tls.client.certificate.bound.access.tokens": "false",
+ "saml.authnstatement": "true",
+ "display.on.consent.screen": "false",
+ "saml_name_id_format": "username",
+ "saml.onetimeuse.condition": "false",
+ "saml_signature_canonicalization_method": "http://www.w3.org/2001/10/xml-exc-c14n#"
+ },
+ "authenticationFlowBindingOverrides": {},
+ "fullScopeAllowed": true,
+ "nodeReRegistrationTimeout": -1,
+ "protocolMappers": [
+ {
+ "id": "88b7ee19-7175-4968-bdd2-bfc40a8d82ee",
+ "name": "Email",
+ "protocol": "saml",
+ "protocolMapper": "saml-user-property-mapper",
+ "consentRequired": false,
+ "config": {
+ "attribute.nameformat": "Basic",
+ "user.attribute": "email",
+ "friendly.name": "Email",
+ "attribute.name": "email"
+ }
+ },
+ {
+ "id": "02c06f47-6e9d-4317-b4f2-c7f4b3b42c03",
+ "name": "User_permanent_id",
+ "protocol": "saml",
+ "protocolMapper": "saml-user-property-mapper",
+ "consentRequired": false,
+ "config": {
+ "attribute.nameformat": "Basic",
+ "user.attribute": "uid",
+ "friendly.name": "name_id",
+ "attribute.name": "name_id"
+ }
+ },
+ {
+ "id": "250e837f-8e9d-4899-b67c-043f1047e798",
+ "name": "Last_name",
+ "protocol": "saml",
+ "protocolMapper": "saml-user-property-mapper",
+ "consentRequired": false,
+ "config": {
+ "attribute.nameformat": "Basic",
+ "user.attribute": "lastName",
+ "friendly.name": "Last Name",
+ "attribute.name": "last_name"
+ }
+ },
+ {
+ "id": "fd3d4150-ccaa-4ce8-b4a5-e7220279e7d7",
+ "name": "is_superuser",
+ "protocol": "saml",
+ "protocolMapper": "saml-user-attribute-mapper",
+ "consentRequired": false,
+ "config": {
+ "attribute.nameformat": "Basic",
+ "user.attribute": "is_superuser",
+ "aggregate.attrs": "true",
+ "friendly.name": "Is Super User",
+ "attribute.name": "is_superuser"
+ }
+ },
+ {
+ "id": "a885cc97-c873-4ef8-8c7e-9490bf04c1e4",
+ "name": "Is_system_auditor",
+ "protocol": "saml",
+ "protocolMapper": "saml-user-attribute-mapper",
+ "consentRequired": false,
+ "config": {
+ "attribute.nameformat": "Basic",
+ "user.attribute": "is_system_auditor",
+ "aggregate.attrs": "true",
+ "friendly.name": "Is System Auditor",
+ "attribute.name": "is_system_auditor"
+ }
+ },
+ {
+ "id": "5d09800d-960e-4ce5-bcc6-c5ec7da9ad07",
+ "name": "User_name",
+ "protocol": "saml",
+ "protocolMapper": "saml-user-property-mapper",
+ "consentRequired": false,
+ "config": {
+ "attribute.nameformat": "Basic",
+ "user.attribute": "username",
+ "friendly.name": "User Name",
+ "attribute.name": "username"
+ }
+ },
+ {
+ "id": "35df9db1-fd61-4ef9-ad57-23c34032525d",
+ "name": "First_name",
+ "protocol": "saml",
+ "protocolMapper": "saml-user-property-mapper",
+ "consentRequired": false,
+ "config": {
+ "attribute.nameformat": "Basic",
+ "user.attribute": "firstName",
+ "friendly.name": "First Name",
+ "attribute.name": "first_name"
+ }
+ }
+ ],
+ "defaultClientScopes": [
+ "role_list"
+ ],
+ "optionalClientScopes": []
+ }
+ ],
+ "clientScopes": [
+ {
+ "id": "aaff7bde-8fa0-411b-a49d-9b27248a74d5",
+ "name": "profile",
+ "description": "OpenID Connect built-in scope: profile",
+ "protocol": "openid-connect",
+ "attributes": {
+ "include.in.token.scope": "true",
+ "display.on.consent.screen": "true",
+ "consent.screen.text": "${profileScopeConsentText}"
+ },
+ "protocolMappers": [
+ {
+ "id": "dbf37724-d6eb-4415-875e-5f9a34534fac",
+ "name": "picture",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-attribute-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "picture",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "picture",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "a57dd686-e1d0-4ade-b561-b9feb64c77b0",
+ "name": "full name",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-full-name-mapper",
+ "consentRequired": false,
+ "config": {
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "userinfo.token.claim": "true"
+ }
+ },
+ {
+ "id": "85ac6cde-eec4-4d99-9e88-c2c50d2b4f38",
+ "name": "username",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-property-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "username",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "preferred_username",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "68c49e4e-2643-4c76-bf06-3149d5ee1c9e",
+ "name": "gender",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-attribute-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "gender",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "gender",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "d2314e27-3c36-4e8c-b080-fb17d3a3defa",
+ "name": "profile",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-attribute-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "profile",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "profile",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "46a791ee-d451-4b11-9ce1-b01c65749784",
+ "name": "family name",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-property-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "lastName",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "family_name",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "7260608c-5a52-4bf8-b6f4-b36549fa6da3",
+ "name": "locale",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-attribute-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "locale",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "locale",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "415b0de8-45e0-4032-b9dd-4bfcb08bc104",
+ "name": "website",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-attribute-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "website",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "website",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "2f4af5f6-236b-4e16-a326-7dd52cc9d8fd",
+ "name": "zoneinfo",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-attribute-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "zoneinfo",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "zoneinfo",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "a3b93777-4b78-439e-b1a8-943e0cd40f3d",
+ "name": "birthdate",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-attribute-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "birthdate",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "birthdate",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "f4c3dc83-d908-49ad-95fc-3a5bbc9bf9a9",
+ "name": "updated at",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-attribute-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "updatedAt",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "updated_at",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "e28464a6-5dfa-47da-9bd3-fb92c4db2747",
+ "name": "middle name",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-attribute-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "middleName",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "middle_name",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "1f552301-87a4-4246-b12a-07884debc92b",
+ "name": "given name",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-property-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "firstName",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "given_name",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "f529b01c-f268-4d29-b626-f803618a943e",
+ "name": "nickname",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-attribute-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "nickname",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "nickname",
+ "jsonType.label": "String"
+ }
+ }
+ ]
+ },
+ {
+ "id": "c3590df9-2323-4fab-ba94-ee2abbc164ae",
+ "name": "roles",
+ "description": "OpenID Connect scope for add user roles to the access token",
+ "protocol": "openid-connect",
+ "attributes": {
+ "include.in.token.scope": "false",
+ "display.on.consent.screen": "true",
+ "consent.screen.text": "${rolesScopeConsentText}"
+ },
+ "protocolMappers": [
+ {
+ "id": "0cd89b4e-1144-4c5b-9274-9e13fe5f5a25",
+ "name": "client roles",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-client-role-mapper",
+ "consentRequired": false,
+ "config": {
+ "user.attribute": "foo",
+ "access.token.claim": "true",
+ "claim.name": "resource_access.${client_id}.roles",
+ "jsonType.label": "String",
+ "multivalued": "true"
+ }
+ },
+ {
+ "id": "f0cf07cf-841b-418d-90ad-59bc5cee7055",
+ "name": "audience resolve",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-audience-resolve-mapper",
+ "consentRequired": false,
+ "config": {}
+ },
+ {
+ "id": "4f57b44b-961b-4adb-871e-e69115c9c5f1",
+ "name": "realm roles",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-realm-role-mapper",
+ "consentRequired": false,
+ "config": {
+ "user.attribute": "foo",
+ "access.token.claim": "true",
+ "claim.name": "realm_access.roles",
+ "jsonType.label": "String",
+ "multivalued": "true"
+ }
+ }
+ ]
+ },
+ {
+ "id": "3f054d84-7835-4926-bd2b-516e237959ca",
+ "name": "address",
+ "description": "OpenID Connect built-in scope: address",
+ "protocol": "openid-connect",
+ "attributes": {
+ "include.in.token.scope": "true",
+ "display.on.consent.screen": "true",
+ "consent.screen.text": "${addressScopeConsentText}"
+ },
+ "protocolMappers": [
+ {
+ "id": "ac0ccd00-7dd0-4e28-a898-f3cdcf1c14d4",
+ "name": "address",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-address-mapper",
+ "consentRequired": false,
+ "config": {
+ "user.attribute.formatted": "formatted",
+ "user.attribute.country": "country",
+ "user.attribute.postal_code": "postal_code",
+ "userinfo.token.claim": "true",
+ "user.attribute.street": "street",
+ "id.token.claim": "true",
+ "user.attribute.region": "region",
+ "access.token.claim": "true",
+ "user.attribute.locality": "locality"
+ }
+ }
+ ]
+ },
+ {
+ "id": "8e3a5e53-50dd-4a81-9009-8f322f499e24",
+ "name": "microprofile-jwt",
+ "description": "Microprofile - JWT built-in scope",
+ "protocol": "openid-connect",
+ "attributes": {
+ "include.in.token.scope": "true",
+ "display.on.consent.screen": "false"
+ },
+ "protocolMappers": [
+ {
+ "id": "224d2538-704b-473e-b424-9db5be0b9757",
+ "name": "upn",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-property-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "username",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "upn",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "dfe95598-dc32-44e9-abe0-6d62013588ae",
+ "name": "groups",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-realm-role-mapper",
+ "consentRequired": false,
+ "config": {
+ "multivalued": "true",
+ "user.attribute": "foo",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "groups",
+ "jsonType.label": "String"
+ }
+ }
+ ]
+ },
+ {
+ "id": "44b16c02-57ad-4143-b16e-1018a2f828a4",
+ "name": "offline_access",
+ "description": "OpenID Connect built-in scope: offline_access",
+ "protocol": "openid-connect",
+ "attributes": {
+ "consent.screen.text": "${offlineAccessScopeConsentText}",
+ "display.on.consent.screen": "true"
+ }
+ },
+ {
+ "id": "e45624a3-a929-4ec5-9a06-39130c777e29",
+ "name": "email",
+ "description": "OpenID Connect built-in scope: email",
+ "protocol": "openid-connect",
+ "attributes": {
+ "include.in.token.scope": "true",
+ "display.on.consent.screen": "true",
+ "consent.screen.text": "${emailScopeConsentText}"
+ },
+ "protocolMappers": [
+ {
+ "id": "ddd0d995-e776-41f7-afbc-b01e73a7a16e",
+ "name": "email verified",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-property-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "emailVerified",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "email_verified",
+ "jsonType.label": "boolean"
+ }
+ },
+ {
+ "id": "a6da2a73-be02-4008-9de6-fab6a44896a3",
+ "name": "email",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-property-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "email",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "email",
+ "jsonType.label": "String"
+ }
+ }
+ ]
+ },
+ {
+ "id": "cc8a0b6d-5af0-439d-a00e-f872afc7082e",
+ "name": "phone",
+ "description": "OpenID Connect built-in scope: phone",
+ "protocol": "openid-connect",
+ "attributes": {
+ "include.in.token.scope": "true",
+ "display.on.consent.screen": "true",
+ "consent.screen.text": "${phoneScopeConsentText}"
+ },
+ "protocolMappers": [
+ {
+ "id": "80b1d9e3-9206-490f-a8e2-7b516821afbf",
+ "name": "phone number",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-attribute-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "phoneNumber",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "phone_number",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "5263588a-1efd-4367-8805-b5b3cc2dbf91",
+ "name": "phone number verified",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-attribute-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "phoneNumberVerified",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "phone_number_verified",
+ "jsonType.label": "boolean"
+ }
+ }
+ ]
+ },
+ {
+ "id": "5f1c26ba-4c8f-4362-95fe-1d166e7bb440",
+ "name": "role_list",
+ "description": "SAML role list",
+ "protocol": "saml",
+ "attributes": {
+ "consent.screen.text": "${samlRoleListScopeConsentText}",
+ "display.on.consent.screen": "true"
+ },
+ "protocolMappers": [
+ {
+ "id": "b6872cf0-570a-4e96-9715-5506933ec466",
+ "name": "role list",
+ "protocol": "saml",
+ "protocolMapper": "saml-role-list-mapper",
+ "consentRequired": false,
+ "config": {
+ "single": "true",
+ "attribute.nameformat": "Basic",
+ "attribute.name": "Role"
+ }
+ }
+ ]
+ },
+ {
+ "id": "fae034bf-e914-4d3c-8bb5-b327447a029b",
+ "name": "web-origins",
+ "description": "OpenID Connect scope for add allowed web origins to the access token",
+ "protocol": "openid-connect",
+ "attributes": {
+ "include.in.token.scope": "false",
+ "display.on.consent.screen": "false",
+ "consent.screen.text": ""
+ },
+ "protocolMappers": [
+ {
+ "id": "520587e1-141b-4cff-a00b-2d4f47452108",
+ "name": "allowed web origins",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-allowed-origins-mapper",
+ "consentRequired": false,
+ "config": {}
+ }
+ ]
+ }
+ ],
+ "defaultDefaultClientScopes": [
+ "role_list",
+ "profile",
+ "email",
+ "roles",
+ "web-origins"
+ ],
+ "defaultOptionalClientScopes": [
+ "offline_access",
+ "address",
+ "phone",
+ "microprofile-jwt"
+ ],
+ "browserSecurityHeaders": {
+ "contentSecurityPolicyReportOnly": "",
+ "xContentTypeOptions": "nosniff",
+ "xRobotsTag": "none",
+ "xFrameOptions": "SAMEORIGIN",
+ "contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';",
+ "xXSSProtection": "1; mode=block",
+ "strictTransportSecurity": "max-age=31536000; includeSubDomains"
+ },
+ "smtpServer": {},
+ "eventsEnabled": false,
+ "eventsListeners": [
+ "jboss-logging"
+ ],
+ "enabledEventTypes": [],
+ "adminEventsEnabled": false,
+ "adminEventsDetailsEnabled": false,
+ "identityProviders": [],
+ "identityProviderMappers": [],
+ "components": {
+ "org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy": [
+ {
+ "id": "5318c069-e07e-4f86-8057-38709fe791e3",
+ "name": "Allowed Protocol Mapper Types",
+ "providerId": "allowed-protocol-mappers",
+ "subType": "anonymous",
+ "subComponents": {},
+ "config": {
+ "allowed-protocol-mapper-types": [
+ "oidc-usermodel-attribute-mapper",
+ "oidc-full-name-mapper",
+ "oidc-usermodel-property-mapper",
+ "oidc-address-mapper",
+ "saml-user-property-mapper",
+ "saml-user-attribute-mapper",
+ "oidc-sha256-pairwise-sub-mapper",
+ "saml-role-list-mapper"
+ ]
+ }
+ },
+ {
+ "id": "64915844-107f-4a2c-8e2c-c94a4ccbe5ea",
+ "name": "Allowed Client Scopes",
+ "providerId": "allowed-client-templates",
+ "subType": "authenticated",
+ "subComponents": {},
+ "config": {
+ "allow-default-scopes": [
+ "true"
+ ]
+ }
+ },
+ {
+ "id": "c65cd2a0-ea62-4618-9bb2-9c8adffbb4c3",
+ "name": "Full Scope Disabled",
+ "providerId": "scope",
+ "subType": "anonymous",
+ "subComponents": {},
+ "config": {}
+ },
+ {
+ "id": "07a48654-4097-4deb-8a5e-65bb5715accc",
+ "name": "Allowed Client Scopes",
+ "providerId": "allowed-client-templates",
+ "subType": "anonymous",
+ "subComponents": {},
+ "config": {
+ "allow-default-scopes": [
+ "true"
+ ]
+ }
+ },
+ {
+ "id": "11cb4cfe-868d-41bb-8ce3-97444a67aee6",
+ "name": "Max Clients Limit",
+ "providerId": "max-clients",
+ "subType": "anonymous",
+ "subComponents": {},
+ "config": {
+ "max-clients": [
+ "200"
+ ]
+ }
+ },
+ {
+ "id": "a8de0b41-db78-405f-a83e-d0db3fe633bd",
+ "name": "Allowed Protocol Mapper Types",
+ "providerId": "allowed-protocol-mappers",
+ "subType": "authenticated",
+ "subComponents": {},
+ "config": {
+ "allowed-protocol-mapper-types": [
+ "oidc-address-mapper",
+ "saml-user-attribute-mapper",
+ "oidc-usermodel-property-mapper",
+ "oidc-full-name-mapper",
+ "oidc-usermodel-attribute-mapper",
+ "saml-user-property-mapper",
+ "saml-role-list-mapper",
+ "oidc-sha256-pairwise-sub-mapper"
+ ]
+ }
+ },
+ {
+ "id": "4f8a2036-9b58-4d7f-9156-584b5d42b761",
+ "name": "Trusted Hosts",
+ "providerId": "trusted-hosts",
+ "subType": "anonymous",
+ "subComponents": {},
+ "config": {
+ "host-sending-registration-request-must-match": [
+ "true"
+ ],
+ "client-uris-must-match": [
+ "true"
+ ]
+ }
+ },
+ {
+ "id": "518e6f3a-fc1d-4a6f-aaba-59a4f8139c7b",
+ "name": "Consent Required",
+ "providerId": "consent-required",
+ "subType": "anonymous",
+ "subComponents": {},
+ "config": {}
+ }
+ ],
+ "org.keycloak.userprofile.UserProfileProvider": [
+ {
+ "id": "08d54b9a-2070-49b2-8d10-394b878b055b",
+ "providerId": "declarative-user-profile",
+ "subComponents": {},
+ "config": {}
+ }
+ ],
+ "org.keycloak.keys.KeyProvider": [
+ {
+ "id": "53bcf245-eabe-410e-bff1-f73ae34719ef",
+ "name": "fallback-HS256",
+ "providerId": "hmac-generated",
+ "subComponents": {},
+ "config": {
+ "priority": [
+ "-100"
+ ],
+ "algorithm": [
+ "HS256"
+ ]
+ }
+ },
+ {
+ "id": "ab943836-db0d-494d-ba61-61fc134a869b",
+ "name": "rsa",
+ "providerId": "rsa",
+ "subComponents": {},
+ "config": {
+ "privateKey": [
+ "{{ private_key }}"
+ ],
+ "certificate": [
+ "{{ public_key }}"
+ ],
+ "active": [
+ "true"
+ ],
+ "priority": [
+ "0"
+ ],
+ "enabled": [
+ "true"
+ ],
+ "algorithm": [
+ "RS256"
+ ]
+ }
+ },
+ {
+ "id": "69d92e66-721d-4b99-9337-acf57dff75de",
+ "name": "rsa-enc-generated",
+ "providerId": "rsa-generated",
+ "subComponents": {},
+ "config": {
+ "keyUse": [
+ "enc"
+ ],
+ "priority": [
+ "100"
+ ]
+ }
+ },
+ {
+ "id": "8de5d01c-75f2-4f32-a6ee-cb15db06038b",
+ "name": "aes-generated",
+ "providerId": "aes-generated",
+ "subComponents": {},
+ "config": {
+ "active": [
+ "true"
+ ],
+ "secretSize": [
+ "16"
+ ],
+ "priority": [
+ "0"
+ ],
+ "enabled": [
+ "true"
+ ]
+ }
+ }
+ ]
+ },
+ "internationalizationEnabled": false,
+ "supportedLocales": [],
+ "authenticationFlows": [
+ {
+ "id": "8b9658fd-b6f3-4361-9fbf-bf89f54b1a25",
+ "alias": "Account verification options",
+ "description": "Method with which to verity the existing account",
+ "providerId": "basic-flow",
+ "topLevel": false,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticator": "idp-email-verification",
+ "authenticatorFlow": false,
+ "requirement": "ALTERNATIVE",
+ "priority": 10,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ },
+ {
+ "authenticatorFlow": true,
+ "requirement": "ALTERNATIVE",
+ "priority": 20,
+ "flowAlias": "Verify Existing Account by Re-authentication",
+ "userSetupAllowed": false,
+ "autheticatorFlow": true
+ }
+ ]
+ },
+ {
+ "id": "7234371f-c10e-43a9-a300-3322710a0f75",
+ "alias": "Authentication Options",
+ "description": "Authentication options.",
+ "providerId": "basic-flow",
+ "topLevel": false,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticator": "basic-auth",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 10,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ },
+ {
+ "authenticator": "basic-auth-otp",
+ "authenticatorFlow": false,
+ "requirement": "DISABLED",
+ "priority": 20,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ },
+ {
+ "authenticator": "auth-spnego",
+ "authenticatorFlow": false,
+ "requirement": "DISABLED",
+ "priority": 30,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ }
+ ]
+ },
+ {
+ "id": "a76fcf8d-ec4a-4d52-a94b-127cc0d7025d",
+ "alias": "Browser - Conditional OTP",
+ "description": "Flow to determine if the OTP is required for the authentication",
+ "providerId": "basic-flow",
+ "topLevel": false,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticator": "conditional-user-configured",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 10,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ },
+ {
+ "authenticator": "auth-otp-form",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 20,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ }
+ ]
+ },
+ {
+ "id": "a36d552c-8209-40c0-b289-dd57c215d275",
+ "alias": "Direct Grant - Conditional OTP",
+ "description": "Flow to determine if the OTP is required for the authentication",
+ "providerId": "basic-flow",
+ "topLevel": false,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticator": "conditional-user-configured",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 10,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ },
+ {
+ "authenticator": "direct-grant-validate-otp",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 20,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ }
+ ]
+ },
+ {
+ "id": "0508fa32-f7b3-41c6-8380-e5da0faf4c66",
+ "alias": "First broker login - Conditional OTP",
+ "description": "Flow to determine if the OTP is required for the authentication",
+ "providerId": "basic-flow",
+ "topLevel": false,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticator": "conditional-user-configured",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 10,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ },
+ {
+ "authenticator": "auth-otp-form",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 20,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ }
+ ]
+ },
+ {
+ "id": "3f17c058-b701-453a-be1b-75302ad628dc",
+ "alias": "Handle Existing Account",
+ "description": "Handle what to do if there is existing account with same email/username like authenticated identity provider",
+ "providerId": "basic-flow",
+ "topLevel": false,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticator": "idp-confirm-link",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 10,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ },
+ {
+ "authenticatorFlow": true,
+ "requirement": "REQUIRED",
+ "priority": 20,
+ "flowAlias": "Account verification options",
+ "userSetupAllowed": false,
+ "autheticatorFlow": true
+ }
+ ]
+ },
+ {
+ "id": "7132cb2b-14ae-43db-9d39-b3b61e93f746",
+ "alias": "Reset - Conditional OTP",
+ "description": "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.",
+ "providerId": "basic-flow",
+ "topLevel": false,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticator": "conditional-user-configured",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 10,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ },
+ {
+ "authenticator": "reset-otp",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 20,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ }
+ ]
+ },
+ {
+ "id": "cdd4c5a8-a244-4e4f-a869-dd9e74825f05",
+ "alias": "User creation or linking",
+ "description": "Flow for the existing/non-existing user alternatives",
+ "providerId": "basic-flow",
+ "topLevel": false,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticatorConfig": "create unique user config",
+ "authenticator": "idp-create-user-if-unique",
+ "authenticatorFlow": false,
+ "requirement": "ALTERNATIVE",
+ "priority": 10,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ },
+ {
+ "authenticatorFlow": true,
+ "requirement": "ALTERNATIVE",
+ "priority": 20,
+ "flowAlias": "Handle Existing Account",
+ "userSetupAllowed": false,
+ "autheticatorFlow": true
+ }
+ ]
+ },
+ {
+ "id": "4ae97d85-2514-44b7-9315-9974176a58a0",
+ "alias": "Verify Existing Account by Re-authentication",
+ "description": "Reauthentication of existing account",
+ "providerId": "basic-flow",
+ "topLevel": false,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticator": "idp-username-password-form",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 10,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ },
+ {
+ "authenticatorFlow": true,
+ "requirement": "CONDITIONAL",
+ "priority": 20,
+ "flowAlias": "First broker login - Conditional OTP",
+ "userSetupAllowed": false,
+ "autheticatorFlow": true
+ }
+ ]
+ },
+ {
+ "id": "91d8af19-f866-4891-b20f-5dfb6297f649",
+ "alias": "browser",
+ "description": "browser based authentication",
+ "providerId": "basic-flow",
+ "topLevel": true,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticator": "auth-cookie",
+ "authenticatorFlow": false,
+ "requirement": "ALTERNATIVE",
+ "priority": 10,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ },
+ {
+ "authenticator": "auth-spnego",
+ "authenticatorFlow": false,
+ "requirement": "DISABLED",
+ "priority": 20,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ },
+ {
+ "authenticator": "identity-provider-redirector",
+ "authenticatorFlow": false,
+ "requirement": "ALTERNATIVE",
+ "priority": 25,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ },
+ {
+ "authenticatorFlow": true,
+ "requirement": "ALTERNATIVE",
+ "priority": 30,
+ "flowAlias": "forms",
+ "userSetupAllowed": false,
+ "autheticatorFlow": true
+ }
+ ]
+ },
+ {
+ "id": "3ca79c37-9b6b-4412-8aa5-7a88c8fb7876",
+ "alias": "clients",
+ "description": "Base authentication for clients",
+ "providerId": "client-flow",
+ "topLevel": true,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticator": "client-secret",
+ "authenticatorFlow": false,
+ "requirement": "ALTERNATIVE",
+ "priority": 10,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ },
+ {
+ "authenticator": "client-jwt",
+ "authenticatorFlow": false,
+ "requirement": "ALTERNATIVE",
+ "priority": 20,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ },
+ {
+ "authenticator": "client-secret-jwt",
+ "authenticatorFlow": false,
+ "requirement": "ALTERNATIVE",
+ "priority": 30,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ },
+ {
+ "authenticator": "client-x509",
+ "authenticatorFlow": false,
+ "requirement": "ALTERNATIVE",
+ "priority": 40,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ }
+ ]
+ },
+ {
+ "id": "c94ac053-381d-47be-803a-fde7b02dcf7b",
+ "alias": "direct grant",
+ "description": "OpenID Connect Resource Owner Grant",
+ "providerId": "basic-flow",
+ "topLevel": true,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticator": "direct-grant-validate-username",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 10,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ },
+ {
+ "authenticator": "direct-grant-validate-password",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 20,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ },
+ {
+ "authenticatorFlow": true,
+ "requirement": "CONDITIONAL",
+ "priority": 30,
+ "flowAlias": "Direct Grant - Conditional OTP",
+ "userSetupAllowed": false,
+ "autheticatorFlow": true
+ }
+ ]
+ },
+ {
+ "id": "3bb9e96e-63f8-4d2f-bf77-5fc799f351e4",
+ "alias": "docker auth",
+ "description": "Used by Docker clients to authenticate against the IDP",
+ "providerId": "basic-flow",
+ "topLevel": true,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticator": "docker-http-basic-authenticator",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 10,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ }
+ ]
+ },
+ {
+ "id": "65fcf3db-58db-43ec-a51f-2c4c91e5c709",
+ "alias": "first broker login",
+ "description": "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account",
+ "providerId": "basic-flow",
+ "topLevel": true,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticatorConfig": "review profile config",
+ "authenticator": "idp-review-profile",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 10,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ },
+ {
+ "authenticatorFlow": true,
+ "requirement": "REQUIRED",
+ "priority": 20,
+ "flowAlias": "User creation or linking",
+ "userSetupAllowed": false,
+ "autheticatorFlow": true
+ }
+ ]
+ },
+ {
+ "id": "ae73711a-76d9-4061-b130-455324688229",
+ "alias": "forms",
+ "description": "Username, password, otp and other auth forms.",
+ "providerId": "basic-flow",
+ "topLevel": false,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticator": "auth-username-password-form",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 10,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ },
+ {
+ "authenticatorFlow": true,
+ "requirement": "CONDITIONAL",
+ "priority": 20,
+ "flowAlias": "Browser - Conditional OTP",
+ "userSetupAllowed": false,
+ "autheticatorFlow": true
+ }
+ ]
+ },
+ {
+ "id": "d4f0cf44-27f4-407c-84c9-fa8e4eb6db08",
+ "alias": "http challenge",
+ "description": "An authentication flow based on challenge-response HTTP Authentication Schemes",
+ "providerId": "basic-flow",
+ "topLevel": true,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticator": "no-cookie-redirect",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 10,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ },
+ {
+ "authenticatorFlow": true,
+ "requirement": "REQUIRED",
+ "priority": 20,
+ "flowAlias": "Authentication Options",
+ "userSetupAllowed": false,
+ "autheticatorFlow": true
+ }
+ ]
+ },
+ {
+ "id": "8f6cc60e-adf5-47a7-95e9-9b25b7fe1582",
+ "alias": "registration",
+ "description": "registration flow",
+ "providerId": "basic-flow",
+ "topLevel": true,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticator": "registration-page-form",
+ "authenticatorFlow": true,
+ "requirement": "REQUIRED",
+ "priority": 10,
+ "flowAlias": "registration form",
+ "userSetupAllowed": false,
+ "autheticatorFlow": true
+ }
+ ]
+ },
+ {
+ "id": "2c70944a-54ad-44f9-8b9f-e4e16055c8c2",
+ "alias": "registration form",
+ "description": "registration form",
+ "providerId": "form-flow",
+ "topLevel": false,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticator": "registration-user-creation",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 20,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ },
+ {
+ "authenticator": "registration-profile-action",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 40,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ },
+ {
+ "authenticator": "registration-password-action",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 50,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ },
+ {
+ "authenticator": "registration-recaptcha-action",
+ "authenticatorFlow": false,
+ "requirement": "DISABLED",
+ "priority": 60,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ }
+ ]
+ },
+ {
+ "id": "9dfda07d-25eb-4ac8-9a48-6a9950409c87",
+ "alias": "reset credentials",
+ "description": "Reset credentials for a user if they forgot their password or something",
+ "providerId": "basic-flow",
+ "topLevel": true,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticator": "reset-credentials-choose-user",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 10,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ },
+ {
+ "authenticator": "reset-credential-email",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 20,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ },
+ {
+ "authenticator": "reset-password",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 30,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ },
+ {
+ "authenticatorFlow": true,
+ "requirement": "CONDITIONAL",
+ "priority": 40,
+ "flowAlias": "Reset - Conditional OTP",
+ "userSetupAllowed": false,
+ "autheticatorFlow": true
+ }
+ ]
+ },
+ {
+ "id": "5b693fb5-3844-4ab4-9291-a10d3ffd8ded",
+ "alias": "saml ecp",
+ "description": "SAML ECP Profile Authentication Flow",
+ "providerId": "basic-flow",
+ "topLevel": true,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticator": "http-basic-authenticator",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 10,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ }
+ ]
+ }
+ ],
+ "authenticatorConfig": [
+ {
+ "id": "b59e82d0-cf9c-46e7-88c0-73a759ab951a",
+ "alias": "create unique user config",
+ "config": {
+ "require.password.update.after.registration": "false"
+ }
+ },
+ {
+ "id": "abbe1e3d-383a-46ef-8d3b-6d221d5e45f7",
+ "alias": "review profile config",
+ "config": {
+ "update.profile.on.first.login": "missing"
+ }
+ }
+ ],
+ "requiredActions": [
+ {
+ "alias": "CONFIGURE_TOTP",
+ "name": "Configure OTP",
+ "providerId": "CONFIGURE_TOTP",
+ "enabled": true,
+ "defaultAction": false,
+ "priority": 10,
+ "config": {}
+ },
+ {
+ "alias": "terms_and_conditions",
+ "name": "Terms and Conditions",
+ "providerId": "terms_and_conditions",
+ "enabled": false,
+ "defaultAction": false,
+ "priority": 20,
+ "config": {}
+ },
+ {
+ "alias": "UPDATE_PASSWORD",
+ "name": "Update Password",
+ "providerId": "UPDATE_PASSWORD",
+ "enabled": true,
+ "defaultAction": false,
+ "priority": 30,
+ "config": {}
+ },
+ {
+ "alias": "UPDATE_PROFILE",
+ "name": "Update Profile",
+ "providerId": "UPDATE_PROFILE",
+ "enabled": true,
+ "defaultAction": false,
+ "priority": 40,
+ "config": {}
+ },
+ {
+ "alias": "VERIFY_EMAIL",
+ "name": "Verify Email",
+ "providerId": "VERIFY_EMAIL",
+ "enabled": true,
+ "defaultAction": false,
+ "priority": 50,
+ "config": {}
+ },
+ {
+ "alias": "delete_account",
+ "name": "Delete Account",
+ "providerId": "delete_account",
+ "enabled": false,
+ "defaultAction": false,
+ "priority": 60,
+ "config": {}
+ },
+ {
+ "alias": "update_user_locale",
+ "name": "Update User Locale",
+ "providerId": "update_user_locale",
+ "enabled": true,
+ "defaultAction": false,
+ "priority": 1000,
+ "config": {}
+ }
+ ],
+ "browserFlow": "browser",
+ "registrationFlow": "registration",
+ "directGrantFlow": "direct grant",
+ "resetCredentialsFlow": "reset credentials",
+ "clientAuthenticationFlow": "clients",
+ "dockerAuthenticationFlow": "docker auth",
+ "attributes": {
+ "cibaBackchannelTokenDeliveryMode": "poll",
+ "cibaExpiresIn": "120",
+ "cibaAuthRequestedUserHint": "login_hint",
+ "oauth2DeviceCodeLifespan": "600",
+ "oauth2DevicePollingInterval": "5",
+ "clientOfflineSessionMaxLifespan": "0",
+ "clientSessionIdleTimeout": "0",
+ "userProfileEnabled": "false",
+ "clientSessionMaxLifespan": "0",
+ "parRequestUriLifespan": "60",
+ "clientOfflineSessionIdleTimeout": "0",
+ "cibaInterval": "5"
+ },
+ "keycloakVersion": "15.0.2.redhat-00001",
+ "userManagedAccessAllowed": false,
+ "clientProfiles": {
+ "profiles": []
+ },
+ "clientPolicies": {
+ "policies": []
+ },
+ "users" : [ {
+ "id" : "32559338-d619-47e5-839c-cd8c70e4221e",
+ "createdTimestamp" : 1638304914519,
+ "username" : "awx_unpriv",
+ "enabled" : true,
+ "totp" : false,
+ "emailVerified" : true,
+ "firstName" : "AWX",
+ "lastName" : "Unpriv",
+ "email" : "noone@nowhere.com",
+ "credentials" : [ {
+ "id" : "724329fd-66af-4973-ac17-02b7e7b6d33b",
+ "type" : "password",
+ "createdDate" : 1639095379005,
+ "secretData" : "{\"value\":\"mV1b4nP7BC1G4pY9wlo3IWArn3a5y7w96WpivmMdQaSYENBZF/vz0dMvz8cx4mVPahH/tzScb2vZnN/GzEL0gg==\",\"salt\":\"QN6A8ckQ0o02eUl4crwgxQ==\",\"additionalParameters\":{}}",
+ "credentialData" : "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\",\"additionalParameters\":{}}"
+ } ],
+ "disableableCredentialTypes" : [ ],
+ "requiredActions" : [ ],
+ "realmRoles" : [ "default-roles-awx realm" ],
+ "notBefore" : 0,
+ "groups" : [ ]
+ }, {
+ "id" : "667ec049-cdf3-45d0-a4dc-0465f7505954",
+ "createdTimestamp" : 1638394966440,
+ "username" : "awx_admin",
+ "enabled" : true,
+ "totp" : false,
+ "emailVerified" : true,
+ "firstName" : "AWX",
+ "lastName" : "Admin",
+ "email" : "no.one@nowhere.com",
+ "attributes" : {
+ "is_superuser" : [ "true" ]
+ },
+ "credentials" : [ {
+ "id" : "51bcbebe-f17e-43c1-a549-8ab13c906bff",
+ "type" : "password",
+ "createdDate" : 1639095348459,
+ "secretData" : "{\"value\":\"kIzb+2QOUGmdPPntBYrdcjQYPYUH5Hd1o9x/23aBiF4o/zhQDKhikCwc8dnXjwZu0oQ8zR6EPfRET8P79IS8Nw==\",\"salt\":\"dDs/XM3LZj4agFeD/EFDTw==\",\"additionalParameters\":{}}",
+ "credentialData" : "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\",\"additionalParameters\":{}}"
+ } ],
+ "disableableCredentialTypes" : [ ],
+ "requiredActions" : [ ],
+ "realmRoles" : [ "default-roles-awx realm" ],
+ "notBefore" : 0,
+ "groups" : [ ]
+ }, {
+ "id" : "cbe48149-3bc5-49a1-a616-c8a5c8a3a88f",
+ "createdTimestamp" : 1638394708362,
+ "username" : "awx_auditor",
+ "enabled" : true,
+ "totp" : false,
+ "emailVerified" : true,
+ "firstName" : "AWX",
+ "lastName" : "Auditor",
+ "email" : "know.one@nowhere.com",
+ "attributes" : {
+ "is_system_auditor" : [ "Yup" ]
+ },
+ "credentials" : [ {
+ "id" : "f94e759e-ddcf-41b4-b088-8f00d481eae4",
+ "type" : "password",
+ "createdDate" : 1639095365091,
+ "secretData" : "{\"value\":\"lr+KxXSfE42YGDgqN/PLukyUXAwD3+RjFW/RmqrGJ+N3B/+zuAYuxGJ7tfjb7U74CAxuimGNoaZoy3Gj7ObB/w==\",\"salt\":\"6PXPj4PMJ7iA2SS5N+r08g==\",\"additionalParameters\":{}}",
+ "credentialData" : "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\",\"additionalParameters\":{}}"
+ } ],
+ "disableableCredentialTypes" : [ ],
+ "requiredActions" : [ ],
+ "realmRoles" : [ "default-roles-awx realm" ],
+ "notBefore" : 0,
+ "groups" : [ ]
+ } ]
+}
diff --git a/tools/docker-compose/ansible/templates/saml_settings.json.j2 b/tools/docker-compose/ansible/templates/saml_settings.json.j2
new file mode 100644
index 0000000000..4cf9ffe399
--- /dev/null
+++ b/tools/docker-compose/ansible/templates/saml_settings.json.j2
@@ -0,0 +1,51 @@
+{
+ "SAML_AUTO_CREATE_OBJECTS": true,
+ "SOCIAL_AUTH_SAML_SP_ENTITY_ID": "{{ container_reference }}:8043",
+ "SOCIAL_AUTH_SAML_SP_PUBLIC_CERT": "{{ public_key_content | regex_replace('\\n', '') }}",
+ "SOCIAL_AUTH_SAML_SP_PRIVATE_KEY": "{{ private_key_content | regex_replace('\\n', '') }}",
+ "SOCIAL_AUTH_SAML_ORG_INFO": {
+ "en-US": {
+ "url": "https://{{ container_reference }}:8443",
+ "name": "Keycloak",
+ "displayname": "Keycloak Solutions Engineering"
+ }
+ },
+ "SOCIAL_AUTH_SAML_TECHNICAL_CONTACT": {
+ "givenName": "Me Myself",
+ "emailAddress": "noone@nowhere.com"
+ },
+ "SOCIAL_AUTH_SAML_SUPPORT_CONTACT": {
+ "givenName": "Me Myself",
+ "emailAddress": "noone@nowhere.com"
+ },
+ "SOCIAL_AUTH_SAML_ENABLED_IDPS": {
+ "Keycloak": {
+ "attr_user_permanent_id": "name_id",
+ "entity_id": "https://{{ container_reference }}:8443/auth/realms/awx",
+ "attr_groups": "groups",
+ "url": "https://{{ container_reference }}:8443/auth/realms/awx/protocol/saml",
+ "attr_first_name": "first_name",
+ "x509cert": "{{ public_key_content | regex_replace('\\n', '') }}",
+ "attr_email": "email",
+ "attr_last_name": "last_name",
+ "attr_username": "username"
+ }
+ },
+ "SOCIAL_AUTH_SAML_SECURITY_CONFIG": {
+ "requestedAuthnContext": false
+ },
+ "SOCIAL_AUTH_SAML_SP_EXTRA": null,
+ "SOCIAL_AUTH_SAML_EXTRA_DATA": null,
+ "SOCIAL_AUTH_SAML_ORGANIZATION_MAP": {
+ "Default": {
+ "users": true
+ }
+ },
+ "SOCIAL_AUTH_SAML_TEAM_MAP": null,
+ "SOCIAL_AUTH_SAML_ORGANIZATION_ATTR": {},
+ "SOCIAL_AUTH_SAML_TEAM_ATTR": {},
+ "SOCIAL_AUTH_SAML_USER_FLAGS_BY_ATTR": {
+ "is_superuser_attr": "is_superuser",
+ "is_system_auditor_attr": "is_system_auditor"
+ }
+}