New installation on Rocky Linux 9.6 using keycloak for auth

I am standing up OOD to talk to our on prem HPC. i would like to get everything running on one host.

OS: RockyLinux 9.6

I am looking to use keycloak 26.3.2 for auth.

I have installed the ood RPM and its responding on http. i have installed “Keycloak” and setup a new “Realm” and also setup the “User federation”.
These directions talk about adding an OIDC Client Template but i don’t see where to do that

I did add OnDemand as a client so that part is done. don’t know how to move forward. please help.

I just completed an install using those same versions. Try the latest version of the docs and it should work. Feel free to reach out with more questions.

Hi and welcome @alfredkwentua!

Thank you @maflister! I may not have noticed the link to the documentation is very old. Not sure why/how you got release docs for 1.4, but yea latest is your best bet.

looking and following the latest documentation now.

Matthew, i am glad to know you have the same setup and got it working.

i would follow the documentation and would gladly reach out if and when stuck.

actually first question is on the “Authentication”

do i have to complete the

{ *OpenID Connect } step or should i just jump to the

{* OpenID Connect with KeyCloak on RHEL7 } and just do this part when getting authentication working.

Also did you use the same host for OOD and KeyCloak?

@maflister

You should use the “OpenID Connect with KeyCloak on RHEL7” guide for this purpose. Not sure why the OpenID Connect page still exists as its probably redundant now.

We deploy KeyCloak on its own VM since we have several OOD instances and other applications authenticating to the same instance. But our first deployment many years ago had KC and OOD on the same host. If this is the only app that uses KC it is a good solution. Only difference is the hostname and port in the different config files.

thanks for the feedback, this is the only application that will use KC for us. going to try the guide now.

@maflister

I completed everything on this page and restarted httpd and still getting the default page is this normal?

3. Configure OnDemand to authenticate with Keycloak — Open OnDemand 4.0.0 documentation

also this page seems out of date as i am using keycloak latest version 26.3.2. can i skip this step?
4. Add Custom Theme — Open OnDemand 4.0.0 documentation

did you complete this step as well?

5. Configure Keycloak with CILogon — Open OnDemand 4.0.0 documentation

You can skip the CILogon page unless that is your type of authentication. We use LDAP. You can skip the theme step until everything is working.

I’m not sure what “default page” means. Send a screenshot if possible. If you’re not being prompted for authentication, there is probably a missed step like firewall ports not open, ood-portal-generator not run after change, etc. I am happy to look at config files if you’d like to share those but probably best to confirm if you’re even prompted for authentication.

not even prompted to authenticate.

this is the default screen i am talking about

image1394×450 15.3 KB

tried to get it talking over https but this is not working. here is the content of my “/etc/ood/config/ood_portal.yml”

–End of FILE—
servername: ausondprd.corp.signaturescience.com
ssl:

• ‘SSLCertificateFile “/etc/pki/tls/certs/ausondprd.corp.signaturescience.com.crt”’
• ‘SSLCertificateKeyFile “/etc/pki/tls/private/ausondprd.corp.signaturescience.com.key”’
• ‘SSLCertificateChainFile “/etc/pki/tls/certs/ausondprd.corp.signaturescience.com.crt”’

but still no https after rebooting Apache

@alfredkwentua your issue is not with https, but with authentication. You need to supply the auth section of the ood_portal.yml file to move forward.

in following the direction this is what i have in my “ood_portal.yml”

auth:

• ‘AuthType openid-connect’
• ‘Require valid-user’

logout_uri: ‘/oidc’

logout_redirect: ‘/oidc?logout=https%3A%2F%2Fausondprd.corp.signaturescience.com’

here is my “auth_openidc.conf”

OIDCProviderMetadataURL http://ausondprd.corp.signaturescience.com:8080/realms/ondemand/.well-known/openid-configuration
OIDCClientID “ausondprd.corp.signaturescience.com”
OIDCClientSecret “1111111-1111-1111-1111-111111111111”
OIDCRedirectURI http://ausondprd.corp.signaturescience.com
OIDCCryptoPassphrase “4444444444444444444444444444444444444444”

OIDCSessionInactivityTimeout 28800
OIDCSessionMaxDuration 28800

OIDCRemoteUserClaim preferred_username

OIDCPassClaimsAs environment

OIDCStripCookies mod_auth_openidc_session mod_auth_openidc_session_chunks mod_auth_openidc_session_0 mod_auth_openidc_session_1

NOTE: the Secret and CryptoPass is changed following the directions from the install guide.

@jeff.ohrstrom my keycloak is at ausondprd.corp.signaturescience.com:8080

and my ood is on ausondprd.corp.signaturescience.com

OK - so when you bounce httpd are there errors or similar in the unit file’s output?

Your configuration appears to be OK - so now we need to track down why it’s not generating the correct .conf file.

What you’ve given is not formmatted here on this page, but I’d ask that you’re sure it is formatted correctly in the YAML file itself.

The format of the YAML file might be my issue here is an image

image353×131 3.35 KB

image708×203 8.75 KB

At a glance it looks OK. Are there errors in the systemd/journalctl output when you bounce httpd? Also I just want to check the ood-portal.conf and see what it looks like.

there are no errors it looks fine.

also the file on my system unlike the directions is located at /etc/httpd/conf.d/od-portal.conf

/etc/httpd/conf.d/auth_openidc.conf

Actually now I’m thinking that page may be cached on your browser. Can you try in a different browser and/or private mode?

That said - I would still like to confirm the content of ood-portal.conf to be sure that it has the correct vhost in it and not the conf file that points to this public page.

you are correct. it was cached. i now have to fix my keycloak as i cant login.