How to use existing users of XWiki as application behind Keycloak SSO/Web-SSO Link and map the users/groups from XWiki with keycloak (OpenID Connect or SAML 2.0)

xdocu · April 26, 2021, 12:58pm

Hi everybody,

I’ve tried to connect XWiki with Keycloak Web-SSO as application.

Can someone explain me how I can access existing users/user rights as IdP in the application “XWiki” after successful login/authentication in Keycloak and how the mapping between the Keycloak user and the users of the application works/is done?

Has anyone here been able to successfully connect XWiki using OpenID Connect or as alternative also SAML 2.0?

Would be grateful for experiences/tips or tricks

Maybe someone here can help me

Many thanks for your help

tmortagne · April 27, 2021, 3:21pm

If you edit a user created by the OpenID Connect authenticator with the object editor you will notice it contain a XWiki.OIDC.UserClass object with the “issuer” and the “subject”. That’s currently what this authenticator uses to identify a user profile. So one way to reuse the existing profile is to create this kind of objects and set the right issue and subject in them.

xdocu · April 28, 2021, 9:17am

@tmortagne many thanks for your reply, I’ll try that in my running configuration of keyclaok and xwiki.

Otherwise I’ld contact once again

Is there any experience using the XWiki extension “OpenID Connect Authenticator” using the OpenID Connect protocol with Keycloak or other SSO/IAM systems?

Does XWiki also support SAML or other alternative protocols?

tmortagne · April 28, 2021, 11:42am

You have several examples on https://extensions.xwiki.org/xwiki/bin/view/Extension/OpenID%20Connect/OpenID%20Connect%20Authenticator/#HConfigurationGuidesforspecificsystems

There is Authenticator Jasig CAS (XWiki.org) it seems, but I don’t have any experience with it.

Cracky5457 · April 28, 2021, 4:10pm

Hello.

I can help you with that since we are deeply integrating keycloak with our wiki.

You can use GitHub - tdudgeon/xwiki_authenticator_keycloak: Keycloak authenticator for XWiki as base for your project

It’s 5 year old but changing xwiki version and following instructions it will works.

You must download the Keycloak adapters and follow their instructions

https://www.keycloak.org/docs/latest/securing_apps/#_tomcat_adapter

You can found the adapters here https://github.com/keycloak/keycloak/releases/download/12.0.4/keycloak-oidc-tomcat-adapter-12.0.4.tar.gz all theses jar should be put in the libs forlder of your tomcat

You will have as explain in their documentation to change context.xml of your tomcat with

<?xml version="1.0" encoding="UTF-8"?>
<Context>
    <Manager sessionAttributeValueClassNameFilter="java\.lang\.(?:Boolean|Integer|Long|Number|String)|org\.apache\.catalina\.filters\.CsrfPreventionFilter\$LruCache(?:\$1)?|java\.util\.(?:Linked)?HashMap"/>
  <Valve className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/>
</Context>

Also in your WEB-INF folder you will need keycloak.json with your configuration

{
  "realm": "yourKeycloakRealm",
  "auth-server-url": "yourKeycloakDomain/auth",
  "ssl-required": "external",
  "resource": "yourClientId",
  "credentials": {
    "secret": "yourClientSecret"
  },
  "use-resource-role-mappings": false,
  "confidential-port": 0
}

Also at the end of your web.xml you will need something like

  <security-constraint>
      <web-resource-collection>
          <web-resource-name>xwiki</web-resource-name>
          <url-pattern>/bin/login/*</url-pattern>
      </web-resource-collection>
      <auth-constraint>
          <role-name>your_role</role-name>
      </auth-constraint>
  </security-constraint>

  <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>ignored</realm-name>
  </login-config>

  <security-role>
      <role-name>your_role</role-name>
  </security-role>

your_role is a realm role that your user in keycloak must have to login through the keycloak adapter

also xwiki.cfg will need
xwiki.authentication.authclass=com.xwiki.authentication.keycloak.XWikiKeycloakAuthenticator

Then you probably have to change a bit the extension of their github to fit your needs

github.com

tdudgeon/xwiki_authenticator_keycloak/blob/master/src/main/java/com/xwiki/authentication/keycloak/XWikiKeycloakAuthenticator.java

/*
 * This is free software; you can redistribute it and/or modify it
 * under the terms of the GNU Lesser General Public License as
 * published by the Free Software Foundation; either version 2.1 of
 * the License, or (at your option) any later version.
 *
 * This software is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this software; if not, write to the Free
 * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
 * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
 */

package com.xwiki.authentication.keycloak;

import com.xpn.xwiki.XWiki;

This file has been truncated. show original

You should probably fork it as well, upgrade pom to your xwiki version fix java issues due to the upgrade to last version of xwiki and then recompile it to be installed in your wiki.

It’s not really an easy works especially rebuild and deploy your own version of the extension but I hope this information will save you a few days of additional work.

xdocu · April 28, 2021, 9:27pm

@tmortagne thanks for your quick reply to my questions

xdocu · April 28, 2021, 9:28pm

@Cracky5457 many thanks for you for your detailed answer

I’ll use this for the XWiki connection to keycloak and try to do the mapping between the users like this