Hitachi Vantara Pentaho Community Forums
Results 1 to 5 of 5

Thread: Keycloak SSO Integration

  1. #1
    Join Date
    Jan 2016
    Posts
    6

    Default Keycloak SSO Integration

    hi to all,
    i'm pretty new with Pentaho.
    This is my use case:
    I use SSO Jboss Keycloak as my single sign on server. I have already developed few applications which already use it, now this is the time to wrap Pentaho BI inside the SSO mechanism.

    I have read Pentaho authentication is based on Spring Security and luckily Keycloak offers a Spring Security Adapter by which i can secure a spring secured application with keycloak authentication.
    Can someone help me by listing some steps i have to do in order to develop an authentication keycloak provider to be integrated inside pentaho authentication process?
    I mean that:
    - when i try to login pentaho web application i will be redirected to keycloak SSO login form.
    - when i try to access pentaho web applications, being already authenticated by other applications, i can do it without any credential request.

    Coming more into detail, i have successfully tried to develop a spring secured application using keycloak SSO.
    It could simply done by modifying the security-context.xml as the following listing:

    <beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:context="http://www.springframework.org/schema/context"
    xmlns:security="http://www.springframework.org/schema/security"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="
    http://www.springframework.org/schema/beans
    http://www.springframework.org/schem...ring-beans.xsd
    http://www.springframework.org/schema/context
    http://www.springframework.org/schem...ng-context.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security.xsd">


    <context:component-scan base-package="org.keycloak.adapters.springsecurity" />


    <security:authentication-manager alias="authenticationManager">
    <security:authentication-provider ref="keycloakAuthenticationProvider" />
    </security:authentication-manager>


    <bean id="adapterDeploymentContextBean" class="org.keycloak.adapters.springsecurity.AdapterDeploymentContextBean" >
    <constructor-arg value="/WEB-INF/keycloak.json" />
    </bean>
    <bean id="keycloakAuthenticationEntryPoint" class="org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationEntryPoint" />
    <bean id="keycloakAuthenticationProvider" class="org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider" />
    <bean id="keycloakPreAuthActionsFilter" class="org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter" />
    <bean id="keycloakAuthenticationProcessingFilter" class="org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter">
    <constructor-arg name="authenticationManager" ref="authenticationManager" />
    </bean>


    <bean id="keycloakLogoutHandler" class="org.keycloak.adapters.springsecurity.authentication.KeycloakLogoutHandler">
    <constructor-arg ref="adapterDeploymentContextBean" />
    </bean>


    <bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
    <constructor-arg name="logoutSuccessUrl" value="/" />
    <constructor-arg name="handlers">
    <list>
    <ref bean="keycloakLogoutHandler" />
    <bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" />
    </list>
    </constructor-arg>
    <property name="logoutRequestMatcher">
    <bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
    <constructor-arg name="pattern" value="/sso/logout**" />
    <constructor-arg name="httpMethod" value="GET" />
    </bean>
    </property>
    </bean>
    <security:http auto-config="false" entry-point-ref="keycloakAuthenticationEntryPoint" use-expressions="true">
    <security:custom-filter ref="keycloakPreAuthActionsFilter" before="LOGOUT_FILTER" />
    <security:custom-filter ref="keycloakAuthenticationProcessingFilter" before="FORM_LOGIN_FILTER" />
    <security:intercept-url pattern="/admin/*" access="hasRole('MYROLE')" />
    <security:custom-filter ref="logoutFilter" position="LOGOUT_FILTER" />
    </security:http>
    </beans>


    So i m wondering if this mechanism could be easily imported into petaho application-security-context.xml

    Thanks a lot
    Last edited by aliosha; 01-07-2016 at 03:18 AM.

  2. #2
    Join Date
    Jan 2016
    Posts
    6

    Default

    no help for this question?
    is it possible to write my custom security spring provider and to use it for log in?
    Last edited by aliosha; 01-18-2016 at 05:26 AM.

  3. #3
    Join Date
    Apr 2008
    Posts
    4,686

    Default

    Quote Originally Posted by aliosha View Post
    is it possible to write my custom security spring provider and to use it for log in?
    I'm sure it is, as someone wrote a security provider to connect to CAS.
    I'm not sure if anyone here has done it themselves, which would be why you're getting no response.

    If someone here has written a custom security provider for spring, they may have done it for money, and are selling that expertise to their clients... why would they give that expertise to you for free? Just because the software itself is free (with some conditions), doesn't mean that the expertise in configuring it is free also.

  4. #4
    Join Date
    Jan 2016
    Posts
    6

    Default

    Quote Originally Posted by gutlez View Post
    I'm sure it is, as someone wrote a security provider to connect to CAS.
    I'm not sure if anyone here has done it themselves, which would be why you're getting no response.

    If someone here has written a custom security provider for spring, they may have done it for money, and are selling that expertise to their clients... why would they give that expertise to you for free? Just because the software itself is free (with some conditions), doesn't mean that the expertise in configuring it is free also.
    Strange answer
    I thought i was on Pentaho Community forum... just asking for suggestions and some guidelines not for implemented solutions... but thanks the same way
    Regards.

  5. #5
    Join Date
    Apr 2008
    Posts
    4,686

    Default

    Quote Originally Posted by aliosha View Post
    Strange answer
    I thought i was on Pentaho Community forum... just asking for suggestions and some guidelines not for implemented solutions...
    You're right, it is a strange answer.

    But your question is also somewhat strange.
    You're stating up front that you're a beginner to the overall platform, and then asking for advice on a highly advanced task.

    You haven't mentioned any of the resources that you have investigated to determine how to do what you're asking to do.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Privacy Policy | Legal Notices | Safe Harbor Privacy Policy

Copyright © 2005 - 2019 Hitachi Vantara Corporation. All Rights Reserved.