Symantec Access Management

Expand all | Collapse all

CA Single Sign-On 12.7 as a OpenID Connect Provider with a JBoss EAP/Keycloak Client Adapter as a Relying Party

  • 1.  CA Single Sign-On 12.7 as a OpenID Connect Provider with a JBoss EAP/Keycloak Client Adapter as a Relying Party

    Posted Feb 27, 2018 01:56 PM

    I am attempting to use the JBOSS EAP Client adapter as a Relying Party to the CA Single Sign-On OpenID Connect Provider.

    I have followed instructions found at Configure CA Single Sign-On as OpenID Connect Provider - CA Single Sign-On - 12.7 - CA Technologies Documentation  to configure the provider side.

     

    I used a url similar to https://fed.mydomain.com/affwebservices/realms/JDBCRealm/protocol/openid-connect/auth for the authentication url

     

    I deselected  Use Secure Authentication URL and changed the authentication URL to match the structure of the Keycloak client redirection

     

    I had to do a servlet mapping in the "/app/CA/secure-proxy/Tomcat/webapps/affwebservices/WEB-INF/web.xml" file to comply with the inflexibility of the Keycloak/Red Hat OpenID Connect Client adapter

     

    <servlet-mapping>

       <servlet-name>openidconnect-authorize</servlet-name>

       <url-pattern>/realms/JDBCRealm/protocol/openid-connect/auth/*</url-pattern>

     </servlet-mapping>

    I believe that this creates a virtual path.

     

    I created a realm that uses the Resource Filter /affwebservices/realms/JDBCRealm/protocol/openid-connect/ to protect the various endpoint urls that keycloak client redirects to such as

    .../realms/JDBCRealm/protocol/openid-connect/auth/

    .../realms/JDBCRealm/protocol/openid-connect/token/

    .../realms/JDBCRealm/protocol/openid-connect/userinfo/

    .../realms/JDBCRealm/protocol/openid-connect/logout/

    .../realms/JDBCRealm/protocol/openid-connect/certs/

     

    I created a client using the CA SSO Administrative UI disabling user Consent and specifying the Application Type: Confidential and Authentication Type: Basic.  The Redirect URI specified is the exact same URI that the user begins with when they start a session.

     

     

    I  referenced the instructions found at Chapter 2. OpenID Connect - Red Hat Customer Portal  under "Securing WARs via Adapter Subsystem" to configure the client side.  

    The client builds the redirection uri from the the <realm> and <auth-server-url> parameters under the urn:jboss:domain:keycloak:1.1 subsystem in the standalone.xml for the JBOSS instance. The <resource> parameter is taken from the client id produced when creating the client from the Provider side using the CA SSO Administrative UI 

     

    The resulting redirect uri looks like https://fed.mydomain.com/affwebservices/realms/JDBCRealm/protocol/openid-connect/auth

     

    This configuration does not work yet. When I access the client, I am redirected, but it looks like a GET rather than a POST (I have X'd out the redirect URI)  I am redirected back the the redirect_uri but I am not prompted for a username and password

     

    GET /affwebservices/realms/JDBCRealm/protocol/openid-connect/auth?response_type=code&client_id=0003804e-57aa-1a90-b5eb-9ae8ac147b7f&redirect_uri=https%3A%2F%2FXXX.XX.XX.XX%3A8443%2Fbot%2F&state=73d26f4f-5e88-478c-bb04-c0b1926353ac&login=true&scope=openid HTTP/1.1

     

    Should the OPENID Connect Authorization Provider using BASIC authentication be able to respond to a GET?  How do I test my Provider independent of the client?

     

    Thanks 

    Doyle



  • 2.  Re: CA Single Sign-On 12.7 as a OpenID Connect Provider with a JBoss EAP/Keycloak Client Adapter as a Relying Party

    Posted Feb 27, 2018 02:01 PM

    Doyle dcollings

     

    Seems like you have completely misjudged the configuration in the documentation. The configurations listed above is incorrect.

     

    Please refer this

     

    https://communities.ca.com/thread/241778229-ca-sso-openid-connect-provider-agentless-sso 

     

    https://communities.ca.com/docs/DOC-231177118-ca-sso-openid-connect-provider-with-apache-openid-client

     

    Incase of Apache replace it with Jboss. In the blogs above we use Apache as the Relying Party.

     

    Everything on CA SSO end has to be as per this blog.

     

     

    Review both these blogs and let know if any further questions.

     

     

    Regards

    Hubert



  • 3.  Re: CA Single Sign-On 12.7 as a OpenID Connect Provider with a JBoss EAP/Keycloak Client Adapter as a Relying Party

    Posted Feb 27, 2018 11:54 PM

    I changed the authentication url to https://fed.mydomain.com/affwebservices/secure/secureredirect and selected use Secure Authentication URL.  I also followed the steps in the above instructions to protect the /affwebservice/secure/securedirect realm.  When I access the relying party I am redirected to https://fed.mydomain.com/affwebservices/secure/secureredirect/realms/JDBCRealm/protocol/openid-connect/auth and I receive the following error

     

    CA Access Gateway - Error Report

    Error Details

    Request URI

    :/affwebservices/secure/secureredirect/realms/JDBCRealm/protocol/openid-connect/auth

    Error Type

    :SPS Exception

    Error Code

    :Noodle_ConnectException

    Message

    :Connection refused remotely, no process is listening on the remote address/port.

    Am I using the correct procedure to map the virtual uri of realms/JDBCRealm/protocol/openid-connect/auth to the openidconnect-authorize servlet?



  • 4.  Re: CA Single Sign-On 12.7 as a OpenID Connect Provider with a JBoss EAP/Keycloak Client Adapter as a Relying Party

    Posted Feb 28, 2018 12:01 AM

    Doyle dcollings

     

    There is no resource in CA AG for /affwebservices/secure/secureredirect/realms/JDBCRealm/protocol/openid-connect/auth. This is a invalid URI for CA AG.

     

    Could you paste OR share the Jboss RP configuration ?

     

    Here is how a sample RP configuration would look like on RP end. Below is from Apache as RP.

     

    https://communities.ca.com/docs/DOC-231177118-ca-sso-openid-connect-provider-with-apache-openid-client
    Apache RP Configuration
    OIDCSSLValidateServer Off
    OIDCProviderIssuer https://www.example.com
    OIDCClientID d7017955-83ce-4b58-87ed-1aa2851a9154
    OIDCClientSecret vW2wJ1LJX0xM/aBgm50nuluQNmCr83tv6qO35iEQr5s=
    OIDCProviderAuthorizationEndpoint https://www.example.com/affwebservices/CASSO/oidc/authorize
    OIDCProviderTokenEndpoint https://www.example.com/affwebservices/CASSO/oidc/token
    OIDCRedirectURI http://www.demo.com/example/redirect
    OIDCCryptoPassphrase SomePassword
    OIDCProviderTokenEndpointAuth client_secret_post
    OIDCProviderJwksUri https://www.example.com/affwebservices/CASSO/oidc/jwks?AuthorizationProvider=openId-provider-example
    OIDCScope "openid email fullname userDetail"
    OIDCProviderUserInfoEndpoint https://www.example.com/affwebservices/CASSO/oidc/userinfo

    /affwebservices/CASSO/oidc/authorize is the OP Authorization Code Flow endpoint which should be defined on the RP end to begin the Authorization Code flow journey.

     

    There are other OP end points also listed.

     

     

     

    A complete list of OP end points are listed within the Client Object in CA SSO WAM UI.  These are the end point URLs which you'll need to define within Jboss RP.

     

     

    Within CA SSO OP Client configuration, you'll need the Jboss RP endpoint to which the Authorization code would be send to. Here in above screenshot. it is http://www.demo.com/example/redirect. This is the Apache RP end point to which CA SSO would issue an Authorization code after successful authentication.



  • 5.  Re: CA Single Sign-On 12.7 as a OpenID Connect Provider with a JBoss EAP/Keycloak Client Adapter as a Relying Party

    Posted Feb 28, 2018 01:21 AM

    Unlike the httpd.conf configuration for Apache OpenID connect client plugin, It appears that I cannot specify the endpoints directly in the Keycloak Relying party. It seems that the JBOSS Keycloak adapter builds the various endpoints using the following subsystem configuration in its standalone.xml as its base

    <extensions>
    <extension module="org.keycloak.keycloak-adapter-subsystem"/>
    </extensions>
    <profile>
    <subsystem xmlns="urn:jboss:domain:keycloak:1.1">
    <secure-deployment name="app.war">
    <realm>JDBCRealm</realm>
    <auth-server-url>https://fed.mydomain.com/affwebservices/secure/secureredirect</auth-server-url>
    <ssl-required>external</ssl-required>
    <truststore>WEB-INF/BOT_test.jks</truststore>
    <truststore-password>test</truststore-password>
    <resource>0003804e-57aa-1a90-b5eb-9ae8ac147b7f</resource>
    <credential name="secret">password</credential>
    </secure-deployment>
    </subsystem>
    </profile>

     

    From this configuration it will build and redirect the following endpoint on a client request
    https://fed.mydomain.com/affwebservices/secure/secureredirect/realms/JDBCRealm/protocol/openid-connect/auth

    It seems that the JBOSS Keycloak OpenID Connect Client adapter is written specifically for the JBOSS Keycloak OpenID Connect Provider. In a attempt to essentially emulate the JBOSS Keycloak Authorization endpoints, I created the following servlet mapping in the "/app/CA/secure-proxy/Tomcat/webapps/affwebservices/WEB-INF/web.xml" hoping to create a virtual path

    <servlet-mapping>

    <servlet-name>openidconnect-authorize</servlet-name>

    <url-pattern>/realms/JDBCRealm/protocol/openid-connect/auth/*</url-pattern>

    </servlet-mapping>

     

    But as you said, This is a invalid URI for CA Access Gateway. There is still no resource in CA AG for /affwebservices/secure/secureredirect/realms/JDBCRealm/protocol/openid-connect/auth. Is there an additional step to create that resource to give the JBOSS Client what it wants?

     

    Thanks

    Doyle



  • 6.  Re: CA Single Sign-On 12.7 as a OpenID Connect Provider with a JBoss EAP/Keycloak Client Adapter as a Relying Party

    Posted Feb 28, 2018 02:19 AM

    Thank You Doyle dcollings

     

    One thing that I can see which is incorrect is the Auth-server-url. We never define the Authentication URL in CA SSO on RP. The Auth-server-url has to be the OP end point URL e.g. Authorization end point.

     

    But as you mentioned fixing just the Auth-server-url isn't going to make this to work. Need more understanding of the RP configuration from JBoss Keycloak perspective.

     

     

    Regards 

    Hubert.



  • 7.  Re: CA Single Sign-On 12.7 as a OpenID Connect Provider with a JBoss EAP/Keycloak Client Adapter as a Relying Party

    Posted Feb 28, 2018 02:39 AM

    Doyle dcollings

     

    After reviewing all content here are my thoughts.

     

    I think Keycloak cannot be used as RP.

    Refer. OpenID Certification | OpenID 

    As per this certification Keycloak is only certified as OP. 

     

    What we see here is Keycloak as OP configuration.

    Other OpenID Connect libraries | Securing Applications and Services Guide 

    Even here they suggested to use apache as RP and Keycloak as OP.

     

    Please review and suggest if there are any further questions.

     

     

    Regards 

    Hubert.



  • 8.  Re: CA Single Sign-On 12.7 as a OpenID Connect Provider with a JBoss EAP/Keycloak Client Adapter as a Relying Party

    Posted Mar 07, 2018 10:42 AM

    With JBOSS/EAP I cannot use apache as a relying party.  Red Hat support suggests that I install Red Hat SSO Server at the application and configure the identity broker.  Chapter 12. Identity Brokering - Red Hat Customer Portal  .  If this is the only solution, I will use SAML instead. With SAML I only need to enable the SAML client subsystem of JBOSS/EAP and add a small section to the existing standalone.xml .



  • 9.  Re: CA Single Sign-On 12.7 as a OpenID Connect Provider with a JBoss EAP/Keycloak Client Adapter as a Relying Party

    Posted Mar 07, 2018 11:38 AM

    Doyle dcollings

     

    Trying to understand why "With Jboss/EAP we cannot use apache as RP". This is way outside the scope of CA SSO, but just curious.

     

    Technically I don't see a reason why it is not possible, because of the below configuration.

     



  • 10.  Re: CA Single Sign-On 12.7 as a OpenID Connect Provider with a JBoss EAP/Keycloak Client Adapter as a Relying Party

    Posted Mar 07, 2018 12:16 PM

    What I meant by "With JBOSS/EAP I cannot use apache as a relying party" was this.

    JBOSS/EAP does not use httpd.conf to configure its web server. .  The apache openid connect client will work great against the Keycloak/Redhat SSO Server OP and the CA Single Sign-On OP . But aJBOSS EAP application does not use the standalone Apache Web Server



  • 11.  Re: CA Single Sign-On 12.7 as a OpenID Connect Provider with a JBoss EAP/Keycloak Client Adapter as a Relying Party

    Broadcom Employee
    Posted Feb 27, 2018 02:27 PM

    The document from docops covers the policy part of it. Link in Hubert's post should cover the relying party configuration (basic configuration) which is for apache but is a good reference, though i would assume Jboss to have it own parameter definitions for openID connect configuration.

    For testing provider, basic configuration should be present on your client side (Jboss in your case) AFAIK. There are some openid conformance scripts as well to test standalone OP. In any case, most of these scripts (on github, has python based and also jmeter test plans) rely on references to your client.



  • 12.  Re: CA Single Sign-On 12.7 as a OpenID Connect Provider with a JBoss EAP/Keycloak Client Adapter as a Relying Party

    Broadcom Employee
    Posted Feb 27, 2018 03:40 PM

    I see JBoss EAP as RP has a different configuration altogether. Scripts that i mentioned from github or openid website, can be referred to (i used them to do some basic testing but i had apache module in place) but am not sure if there is one available readily in this forum for you to test SSO as OP without a client setup. Will probably wait on to see if anyone has any other comments.