At the time of this writing, this project was hosted at: github.com/MoebiusSolutions/auth-demo
This repo is used to demonstrate a variety of SSO configs. It contains:
- A docker-compose environment that instantiates many DevOps services
- A reverse proxy with PKI certs for all services
- Many example setup procedures
Demonstration Procedures
-
Demonstrate Bitbucket Authentication through Crowd/LDAP to Keycloak/OpenLDAP
-
-
Demonstrating OAuth from Bitbucket to Azure Active Directory
-
Demonstrating Group Sync and JIT User Provisioning in Bitbucket via SAML to Azure AD
-
Demonstrating Group Sync and JIT User Provisioning in Jira via SAML to Azure AD
-
Demonstrating Group Sync and JIT User Provisioning in Artifactory via SAML to Azure AD
-
Demonstrating Artifactory Authentication through SAML to Keycloak
Minor Task Procedures (used by the above procedures)
- Azure
- Setup a Account and Tenant in Azure
- Defined Bitbucket OAuth Client Secret in Azure AD
- Exposed Azure AD to Bitbucket through OAuth
- Added OAuth Redirect URL to Azure AD for Bitbucket
- Added OAuth Token Claims to Azure AD for Bitbucket
- Defined User and Group in Azure AD for Bitbucket OAuth
- Define Standard Users and Groups in Azure AD
- Keycloak
- Crowd
- Bitbucket
- Artifactory
Other Docs
- Basic Cluster Operations (Start/Stop/Wipe)
- Manual Actions in LDAP UI
- Manual Actions in LDAP CLI
- Resolving "Found an Attribute element with duplicated Name" SAML Error in Bitbucket
- The OpenLDAP Admin User is Not Listed in LDAP Queries
- Fixing SAML SSO Logout
NOTE: All of the following hostnames come from authdemo-show-hosts.sh,
which should been installed to your /etc/hosts.
Proxied (HTTPS) service URLs:
- OpenLDAP UI https://ldap-ui.proxy.auth-demo.docker/
- TODO: Fix this proxy connection. Either we have to load a proper cert into the backend container, or we have to enable an HTTP service port.
- Keycloak https://keycloak.proxy.auth-demo.docker/
- Crowd: https://crowd.proxy.auth-demo.docker/
- Bitbucket: https://bitbucket.proxy.auth-demo.docker/
- Jira: https://jira.proxy.auth-demo.docker/
- Artifactory: https://artifactory.proxy.auth-demo.docker/
- CAS Demo Pages
- Example Public Content: https://cas-proxy.auth-demo.docker/index.php
- Example Private Content: https://cas-proxy.auth-demo.docker/secured-by-cas/index.php
Direct/internal service URLs:
- OpenLDAP UI https://ldap-ui.auth-demo.docker:443/
- Keycloak http://keycloak.auth-demo.docker:8080/auth/
- NOTE: We added a redirect rule from
/to/auth/to the proxy, but this does not work for direct requests to Keycloak. This is an aparent bug in Keycloak.
- NOTE: We added a redirect rule from
- Crowd: http://crowd.auth-demo.docker:8095/
- Bitbucket: http://bitbucket.auth-demo.docker:7990/
- Bitbucket SSH: http://bitbucket.auth-demo.docker:7999/
- Jira: https://jira.auth-demo.docker:8080/
- Artifactory: https://artifactory.auth-demo.docker:8082/
auth-demo-0.3 (IN-PROGRESS)
- ...
auth-demo-0.2 (2024-02-18)
- Upgraded Keycloak from 16.x to 23.x
- Added
key-cloakinit container - Updated most procedures to use the new interface
- Added
- Added demonstration of CAS authentication between Apache2 and Keycloak
- Added Demonstrating CAS Authentication from Apache to Keycloak
- Added
cas-proxy(Apache2) container
- Added a volume to store Keycloak data (so Keycloak configs survive redeploys)
- Added creation of a JKS keystore for every machine cert
auth-demo-0.1 (2024-02-07)
- All previous work