website/docs: sources: add keycloak#19591
Conversation
✅ Deploy Preview for authentik-integrations ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
✅ Deploy Preview for authentik-storybook ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
✅ Deploy Preview for authentik-docs ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #19591 +/- ##
==========================================
- Coverage 93.31% 93.27% -0.04%
==========================================
Files 949 949
Lines 52067 52131 +64
==========================================
+ Hits 48585 48625 +40
- Misses 3482 3506 +24
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
|
|
||
| Because Keycloak is itself an identity platform, it can be integrated with authentik in two ways: | ||
|
|
||
| - **Use authentik to log into Keycloak**: Configure authentik as an identity provider for Keycloak (authentik is the source, Keycloak is the application). |
There was a problem hiding this comment.
We usually reserve integration guides for this use case, so the other might be a little interesting. Mabye, there could be a dedicated doc section?
There was a problem hiding this comment.
Yeah I think that the keycloak source doc should be here with the others: https://docs.goauthentik.io/users-sources/sources/social-logins/
There was a problem hiding this comment.
Ahh I was completely oblivious to this. Let me fix this PR
There was a problem hiding this comment.
Completely forgot about the user source docs lol
There was a problem hiding this comment.
Same :x as a thought it may make sense to have these in a section in the integration guides instead of the regular docs. that organization makes more sense to me
Also, I updated the PR
|
authentik PR Installation instructions Instructions for docker-composeAdd the following block to your AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-29b0b836267b15e877f31c6a112720f220d230de
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)sAfterwards, run the upgrade commands from the latest release notes. Instructions for KubernetesAdd the following block to your authentik:
outposts:
container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
global:
image:
repository: ghcr.io/goauthentik/dev-server
tag: gh-29b0b836267b15e877f31c6a112720f220d230deAfterwards, run the upgrade commands from the latest release notes. |
9c64c22 to
cb97290
Compare
|
|
||
| ``` | ||
| -----BEGIN CERTIFICATE----- | ||
| <Copied Keycloak Public Key Certificate Content> |
There was a problem hiding this comment.
so keycloak's exported cert comes without the header and footer. interesting
There was a problem hiding this comment.
yeah idk why they do that
website/docs/users-sources/sources/social-logins/keycloak/index.md
Outdated
Show resolved
Hide resolved
website/docs/users-sources/sources/social-logins/keycloak/index.md
Outdated
Show resolved
Hide resolved
| 2. Navigate to **Clients** and click **Create client**. | ||
| 3. Configure the client with the following settings: | ||
| - Set **Client type** to `SAML`. | ||
| - Set **Client ID** to `https://authentik.company/source/saml/keycloak/metadata/`. |
There was a problem hiding this comment.
lets use a placeholder for the keycloak slug here and throughout the doc
| 2. Configure the following settings: | ||
| - Enable **Sign documents**. | ||
| - Enable **Sign assertions**. | ||
| - Enable **Encrypt assertions** (optional, for encrypted SAML). |
There was a problem hiding this comment.
feels weird to say "Enable", then say "optional"
|
|
||
| ### Upload the authentik certificate to Keycloak | ||
|
|
||
| 1. In the client settings, navigate to the **Keys** tab. |
There was a problem hiding this comment.
can we remind how to navigate to the client settings tab
There was a problem hiding this comment.
yeah I put an update in for that
|
|
||
| 1. In the client settings, navigate to the **Keys** tab. | ||
| 2. Configure the following settings: | ||
| - Enable **Client signature required** if you want Keycloak to verify signatures from authentik. |
There was a problem hiding this comment.
why sign the responses if you don't want keycloak to verify the signature
| 1. In the client settings, navigate to the **Keys** tab. | ||
| 2. Configure the following settings: | ||
| - Enable **Client signature required** if you want Keycloak to verify signatures from authentik. | ||
| - Click **Import** and upload the authentik certificate you exported earlier. This allows Keycloak to verify signatures on requests from authentik. |
There was a problem hiding this comment.
do they limit the upload to a specific file extension or something? if so, would be essential to tell the user to save it with the .pem extension or whatever
There was a problem hiding this comment.
nah it lets you select any file extension
| 2. Configure the following settings: | ||
| - Enable **Client signature required** if you want Keycloak to verify signatures from authentik. | ||
| - Click **Import** and upload the authentik certificate you exported earlier. This allows Keycloak to verify signatures on requests from authentik. | ||
| - If encryption is enabled, click **Import** under the encryption key and upload the authentik certificate. |
There was a problem hiding this comment.
can we remind the user in parenthesis how to determine wether encryption is enabled
There was a problem hiding this comment.
Fixed the wording. The key import and encryption are enabled/uploaded in the same spot. and ive changed the wording to make all encryption and signature verification required/implied, so this is good now
|
|
||
| 1. Navigate to **Directory** > **Federation and Social login** and click **Create**. | ||
| 2. Select **SAML Source** and configure the following settings: | ||
| - Set **Name** to `Keycloak`. |
There was a problem hiding this comment.
we should give some liberty for this and next line. Set a name, for example Keycloak or similar
There was a problem hiding this comment.
It's kind of implied that they can name it whatever, especially after i added your reminder that i should specify the slug, id kind of rather lean the user towards naming it keycloak as well because it makes sense and matches what we would assume the default slug would be
| - Set **SLO URL** to `https://keycloak.company/realms/<realm-name>/protocol/saml`. | ||
| - Set **Issuer** to `https://authentik.company/source/saml/keycloak/metadata/`. | ||
| - Set **Service Provider Binding** to `Post (Auto-Submit)`. | ||
| - Set **Signing Keypair** to an authentik certificate (e.g., the default self-signed certificate). |
There was a problem hiding this comment.
last time you mentioned the default you put its full name. should match for consistency
…x.md Co-authored-by: Dominic R <dominic@sdko.org> Signed-off-by: Connor Peshek <connor@connorpeshek.me>
…x.md Co-authored-by: Dominic R <dominic@sdko.org> Signed-off-by: Connor Peshek <connor@connorpeshek.me>
|
|
||
| - `authentik.company` is the FQDN of the authentik installation. | ||
| - `keycloak.company` is the FQDN of the Keycloak installation. | ||
| - `keycloak-slug` is the slug you will assign to the SAML source in authentik (e.g., `keycloak`). |
There was a problem hiding this comment.
usually we just do <application-slug> (like in integration guides), but i'm fine w this
There was a problem hiding this comment.
as in without putting it in placeholders as well
|
Thank you @dominic-r! Anytime! |
Details
Adds keycloak federated source steps
Checklist
ak test authentik/)make lint-fix)If an API change has been made
make gen-build)If changes to the frontend have been made
make web)If applicable
make docs)