OnDemand-Keycloak-IDM authentication

kmilberg · October 24, 2018, 10:15pm

I’ve been following the directions at https://osc.github.io/ood-documentation/master/authentication/tutorial-oidc-keycloak-rhel7.html and have an OnDemand server and Keycloak server with Keycloak configured with a User Federation LDAP provider that is our IDM system. I’ve confirmed data transfer between the OnDemand and Keycloak servers and between the Keycloak and IDM servers, but authentication (on OnDemand server with IDM identity) isn’t working. (Keycloak correctly retrieves names, email, etc. from IDM.) The error I’m seeing (invalid_user_credentials) seems to mean invalid password because for a username that doesn’t exist, a different error is obtained.

Differences that I have from tutorial:

Tutorial is for keycloak-3.1.0 and I’m using keycloak-4.2.1.
As a consequence, the Keycloak admin interface is a little different and all settings from steps 2.3 and 2.4 were set for the client as there’s no longer a separate entity of ‘client template’.
I only completed steps 1-3, not 4 (add custom theme).
(All servers are RHEL 7.5. OnDemand is version 1.3.7.)

Are there any tests I can do to isolate this issue? Is there any specialized config needed for IDM that is different from other identity providers? Might using a newer version of keycloak be better?

tdockendorf · October 26, 2018, 6:12pm

You can try authenticating with just mod_auth_openidc if that’s how you configured OnDemand to use Keycloak. We have something like this at /opt/rh/httpd24/root/etc/httpd/conf.d/test.conf:

Alias /secure /var/www/html/secure
<Location /secure>
  AuthType openid-connect
  Require valid-user
</Location>

I then have this at /var/www/html/secure/index.php

<html>
<head><title>OIDC Variables</title></head>
<body>
<table>
<?php
ksort($_SERVER);
foreach ($_SERVER as $key => $value) {
   echo "<tr><td>$key</td><td>$value</td></tr>\n";
}
?>
</table>
</body>
</html>

This will tell you if REMOTE_USER is getting set which is what is used by OnDemand IIRC.

neranjan · June 12, 2019, 4:47pm

@kmilberg Did you able to solve this? I’m having the exact same issue, but I think I’m stuck with this right now. Any help appreciated.

milberg · May 4, 2020, 2:28pm

@neranjan I wasn’t able to solve the problem at the time, but I have seen that documentation for the issue I was having is available for OOD v1.7 https://osc.github.io/ood-documentation/master/authentication/duo-2fa-with-keycloak.html

Topic		Replies	Views
Ondemand with dedicated keycloak server Get Help	3	737	May 26, 2022
OIDC redirect failing Get Help question	14	3930	May 26, 2022
Ondemand + keycloak + RHEL8 issues Get Help question	4	286	January 30, 2023
Login error with Ondemand 1.8 and Keycloak 10 Get Help question	4	946	May 26, 2022
OIDC with Keycloak filter by groups/roles Get Help question	4	740	March 9, 2024

OnDemand-Keycloak-IDM authentication

Related Topics