OIDC with Keycloak filter by groups/roles

bmx · September 8, 2023, 9:40am

Hi,

We have a setup with Open OnDemand using Keycloak OIDC and we would like to filter access to OnDemand by LDAP groups/roles.

We have our LDAP Keycloak integration and our OnDemand client configured. We also configured OnDemand with the “groups” scope as documented here.

oidc_scope: "openid profile email groups"

,although in our implementation is “roles”.

With this setup we cannot filter group access, so if the user belongs to the LDAP group configured in Keycloak (which in our case is a general LDAP group that includes all users) you can login but then since we do SSSD authentication when the server tries to run the PUN process for the user it fails as expected.

Is there a way to configure OnDemand to filter by group/role membership?

Regards,
B

bmx · September 8, 2023, 11:13am

Managed to make this work by changing the /etc/apache2/sites-enabled/ood-portal.conf configuration with the following.

    AuthType openid-connect
    <RequireAll>
        Require valid-user
        Require claim groups:<SOME-LDAP-GROUP>
    </RequireAll>
    LogLevel debug

Applied the change to the following:

<Location "/oidc">
<Location "/nginx">
<Location "/pun">
<LocationMatch "^/rnode/<SOME-REGEX>">
<LocationMatch "^/node/<SOME-REGEX>">

This seems to work, users not part of the <SOME-LDAP-GROUP> cannot login, which matches our SSSD configuration on the node itself.

That said, I’m not sure if this is the right way of doing it. Will try to implement these settings using the Ansible role, feedback welcome!

Cheers,
B

jeff.ohrstrom · September 8, 2023, 1:37pm

Editing the conf file by hand is could throw things off. Since you edited it by hand, outside of update_ood_portal - that program (update_ood_portal) won’t replace it any more. you’ll have to use --force options or similar.

You should be able to add Require claim groups:<SOME-LDAP-GROUP> to the auth section of ood_portal.yml.

auth:
   - 'Require claim groups:<SOME-LDAP-GROUP>'

I say should because we may supply that by default for OIDC users.

If we don’t/can’t then we will need to add the capability to add extra auth lines like this.

bmx · September 11, 2023, 12:09pm

Hi Jeff,

Thank you for your feedback, it worked!

system · March 9, 2024, 12:10pm

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Ondemand with dedicated keycloak server Get Help	3	806	May 26, 2022
Keycloak and ondemand host short-name Get Help	7	432	November 9, 2022
OIDC redirect failing Get Help question	14	5103	May 26, 2022
Ondemand + keycloak + RHEL8 issues Get Help question	4	346	January 30, 2023
OnDemand-Keycloak-IDM authentication Get Help	4	1228	May 26, 2022

OIDC with Keycloak filter by groups/roles

Related topics