This project is a Dockerized Keycloak instance pre-configured with various Identity Providers (IdPs).
If you've been tasked with standing up a Keycloak instance -- or maybe just confused about how to protect a web service using Keycloak -- this might be a good starting place for you. Several protocols are already defined with the following:
| Protocol | Implementation | Source |
|---|---|---|
| SAML 2.0 | SimpleSAML | Kristoph Junge |
| LDAP | OpenLDAP | Osixia's Dockerfile |
| OAuth | GitHub |
This configuration is intended to run on an Ubuntu 16.04+ OS, but later versions should work at well. Docker for Windows and Mac have not been tested.
Note: This project was created for educational purposes. Always use caution when pulling code from the interne, especially anything to be used in your security stack.
This project will create Docker containers for the following services:
- Keycloak (version 4.5.0.Final)
- OpenLDAP
- A web-accessible PHP admin for the OpenLDAP instance
- SimpleSAML
- Postgres
- A simple NodeJS service protected by Keycloak
As this project is centered around Docker, there's very little setup required on the host machine.
git clone https://github.com/vbhayden/keycloak-federation-examplescd keycloak-federation-examplessudo ./install-reqs.shsudo ./rebuild.sh
Browse to localhost:3000 to check that everything worked. Log in with user:password and you should see a screen with your Keycloak user information.
Once you clone the repository, move to its root folder. Here, you'll install all the necessary prerequisites and then run the actual build itself.
Once the containers have finished building, the Keycloak service will need some time to start. If Keycloak doesn't seem to come up and localhost:8081 isn't accessible, then you can check its container logs with
sudo docker logs -f docker_keycloak
The above steps and the original training materials assume that everything will run on an Ubuntu 16.04+ virtual machine, with localhost being used for all addresses. You can change this address in the .env file. By default, this file's contents are:
# Note that "localhost" will only in the expected way (navigating to something being served from
# the host machine) if the container is using the "host" network type.
#
KEYCLOAK_URL=localhost
Note that changing this may cause a mismatch between the federated redirect URIs and your Keycloak instance. To rectify this, you'll need to update the expected redirect URIs for whichever federation source you're using. In the GitHub OAuth case, for example, you might need to create your own GitHub App that allows a specific domain, as the one established for this project will expect localhost.