feat(jans-linux-setup): turn off update profile on first login for the review profile step in the first broker login flow

[devrimyatar]

closes #9518

• I confirm that there is no impact on the docs due to the code changes in this PR.

[dryrunsecurity]

DryRun Security Summary

The provided code changes focus on the installation and configuration of the Keycloak identity provider (IdP) to integrate with the Jans SAML application, including unpacking and configuring the Keycloak server, deploying the Jans SAML plugin, disabling the "Review Profile" execution step, and installing and configuring the Keycloak scheduler, with a review of potential security considerations related to credential management, disabling the "Review Profile" execution step, Keycloak scheduler configuration, and logging and monitoring.

Expand for full summary

Summary:

The provided code changes focus on the installation and configuration of the Keycloak identity provider (IdP) to integrate with the Jans SAML application. The key changes include unpacking and configuring the Keycloak server, deploying the Jans SAML plugin, disabling the "Review Profile" execution step in the first broker login flow, and installing and configuring the Keycloak scheduler.

From an application security perspective, the changes do not appear to introduce any immediate security concerns. However, there are a few areas that should be carefully reviewed and monitored:

1. Credential Management: The code handles several credentials, such as the Keycloak admin username and password, the Jans IDP client ID and secret, and the Keycloak scheduler API client ID and secret. Proper management and protection of these credentials are crucial for the overall security of the system.

2. Disabling "Review Profile" Execution: Disabling the "Review Profile" execution step can be considered a security enhancement, as it prevents potential information disclosure or manipulation during the SAML authentication process.

3. Keycloak Scheduler Configuration: The Keycloak scheduler is configured to use the Jans API for authentication and authorization. Ensuring the secure configuration of the scheduler and the Jans API integration is important to prevent unauthorized access or potential abuse of the scheduler's capabilities.

4. Logging and Monitoring: The code sets up logging directories for the Keycloak server and the Keycloak scheduler. Proper monitoring and review of these logs can help identify and address any security-related issues or anomalies.

Files Changed:

1. jans-linux-setup/jans_setup/templates/jans-saml/kc_jans_api/jans.update-authenticator-config.json: This file is a configuration file for the Jans authentication system. The changes add a new configuration block that disables the "update profile on first login" feature, which should be carefully reviewed to ensure it does not introduce any security vulnerabilities or weaken the overall security posture of the application.

2. jans-linux-setup/jans_setup/setup_app/installers/jans_saml.py: This code is responsible for the installation and configuration of the Keycloak IdP for the Jans SAML application. The changes include Keycloak installation, Jans SAML plugin configuration, disabling the "Review Profile" execution step, and Keycloak scheduler installation. These changes should be reviewed to ensure proper credential management, secure configuration of the scheduler and Jans API integration, and appropriate logging and monitoring mechanisms.

Code Analysis

We ran 9 analyzers against 2 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer	Findings
Authn/Authz Analyzer	3 findings

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

[sonarcloud]

Quality Gate passed for 'jans-linux-setup'

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud