This is a ready solution for employing Keycloak with FIDO2/WebAuthn and OIDC (or SAML). Demos are included.
| relying party (RP) | 2FA | 1FA |
|---|---|---|
Apache (mod_auth_openidc) |
demo #1 | demo #2 |
Apache (mod_shib) |
demo #3 | demo #4 |
| VMware vSphere | n/a | demo #6 |
ARG |
example | description |
|---|---|---|
KEYCLOAK_DB |
postgres |
RDB for Keycloak |
KEYCLOAK_RELEASEVER |
9 | release version of RHEL for Keycloak container |
KEYCLOAK_VERSION |
latest |
Keycloak version |
kund supports multiple tenants, e.g. both demos and production use cases.
Their common configuration resides in environment variables.
ENV |
example | |
|---|---|---|
APP_IDS |
1 2 3 4 6 |
|
KEYCLOAK_DB_URL |
jdbc:postgres://localhost/keycloak |
|
KEYCLOAK_DB_USERNAME |
keycloak |
|
KEYCLOAK_EMAIL |
[email protected] |
|
KEYCLOAK_PORT |
1. | 8444 |
REALM_IDS |
1 2 3 4 6 |
|
SMTP_SERVER |
mail.mydomain.com |
- optional; default is
8444
The following environment variables are only required to support the demos.
| env | example | |
|---|---|---|
APACHE_EMAIL |
[email protected] |
|
APACHE_LOG_LEVEL |
1. | debug |
KEYCLOAK_LOG_LEVEL |
1. | debug |
KEYCLOAK_OIDC_REMOTE_USER_CLAIM |
given_name ^(.+?)(?:\s.+)?$ $1 |
|
| LDAP_PORT | 3893 | |
| VSPHERE_DOMAIN | 2. | mydomain.com |
| VSPHERE_SERVER | 2. | https://vsphere.mydomain.com |
- optional; default is
info - only required for demo #6
| secret | keys | |
|---|---|---|
keycloak-admin-password |
password |
1. |
keycloak-db-password |
password |
- password for user
adminon Keycloak Administration Console
| key | description |
|---|---|
client_id |
see ClientRepresentation.id |
display_name |
see RealmRepresentation.displayName |
flow |
see AuthenticationFlowRepresentation.alias (kundk-1fa or kundk-2fa) |
ldap_attribute_first_name |
|
ldap_auth_type |
see UserFederationProviderRepresentation.config.authType (for LDAP) |
ldap_bind_credential |
|
ldap_bind_dn |
see UserFederationProviderRepresentation.config.ldapBind (for LDAP) |
ldap_connection_url |
see UserFederationProviderRepresentation.config.connectionUrl (for LDAP) |
ldap_rdn_ldap_attribute |
|
ldap_username_ldap_attribute |
|
ldap_users_dn |
see UserFederationProviderRepresentation.config.userDn (for LDAP) |
ldap_user_object_class |
|
ldap_uuid_ldap_attribute |
see UserFederationProviderRepresentation.config.uuidLDAPAttribute |
post_logout_redirect_uri |
see ClientRepresentation.attributes."post.logout.redirect.uris" (for OIDC) |
protocol |
see ClientRepresentation.protocol |
realm |
see RealmRepresentation.realm |
redirect_uri |
ClientRepresentation.redirectUris (for OIDC) |
saml_assertion_consumer_url_redirect |
|
saml_single_logout_service_url_redirect |
|
vsphere_domain |
AD domain |