i am writing this after a huge victory in my eyes. so the past few days i have been working on keycloak sso services. i finally got it to where i like it and it will be my main sso solution for zammad. i know it is a lot to maintain two sso services, but hey, that is part of the sys admin experience right? anyways, i finalized most of my configurations relating to realms. since i wanted to segment from the default ‘master’ realm and the one i wanted for zammad and/or my organization.
the process was the same, and i just had to add my admin account again since it is a ‘new’ environment that i can manage. i straightened out saml sso with zammad and ensured the migration was smooth. i can now fully run zammad with sso login. i also dabbled into the knowledge base and created a few documents to explain the whole login process.
pretty much, the system admin or me, will be maintaining internal user access to zammad. there is no register prompt for the sso login page. i really tried to make it work, but i suppose for the better of security, it is best to leave registration off. so if users cannot create their own account, then it leaves it up to me to figure out how to create their accounts. obviously doing it through the web gui is fine, but imagine hundreds of users.
that is where i figured out ways to automate this whole process. i first thought of the api that comes with keycloak, and i was going to spend some time learning it. i did some searching and i found that there is an ansible module for keycloak, so i read up on the documentation. while sifting through and creating a playbook, i found that there was some things that i had to trial and error to get it to work.
the first thing that i found was the ‘auth_keycloak_url’ was “wrong”. technically it works, but after some searching, it seems that the ‘/auth’ was legacy. so when entering this value, be sure to enter the fqdn url, like this: ‘https://keycloak.domain.com’. the module will automatically add this:
‘/realms/realm-name/protocol/openid-connect/token’.
another thing that you may run into is the certificate trusts, so in order to ‘trust’ the certificate on the ansible master node, you will need to run these commands:
cd /usr/local/share/ca-certificates
sudo echo -n | sudo openssl s_client -connect keycloak.domain.com:443 | sudo openssl x509 > keycloak.crt
sudo update-ca-certificates
okay now that the url part is taken care of, ensure that you type in the username and password of the admin user you want to authenticate to. i recommend the admin user that you created in the ‘master’ realm. this makes better sense since it is where the most ‘control’ is at. and now this would be fine if you do not have other realms created, but if you were to have other realms created like me, them you can add a ‘realm:’ under the ‘auth_realm’.
then after you will configure your; username, first name, last name, email, enabled status, and email verified status. the next section would be credentials, and to make it easy, the ‘type’ password is fine and then the value would be the password. if you prefer, you can run a task before this to create a random password and put it to a variable to be called here. you can also configure it to be temporary or not.
then below is the group configuration. you enter the group name and the state of the group. ‘present’ being that it exists.
i will have this uploaded to my github ansible repo. there will be two playbooks, the generic one and an interactive one.
this took me about an hour and a half to figure out, and i am glad that i did.
i would say that this was my most ambitious project this month. after so much trial and error, i can proudly say that i have somewhat of a decent way of sso and user creation. not the best, but regardless, it works for what i need it to do.
i had to learn the keycloak_user module and the email module for this big playbook. i can condense it here and there and move the variables to a different yaml file, but i am glad that it works. it is finally posted in the ansible repo, under the keycloak folder.
i put two keycloak playbooks. first one is a base playbook with static values to test out how the module works. the second one is the interactive playbook:
finds the password yaml file
sets the variables for keycloak and email module
prompts the user to enter an email, first and last name
picks a random password from the list
authenticates to keycloak and creates the user with the password
debugs the username and password to the terminal
sends a confirmation email to the user with login details and instructions.