How to test MinIO SSO keycloak - cniackz/public GitHub Wiki

Objective:

Test MinIO with Keycloack as SSO mechanism

Tested:

• Sun Jan 1 2023 -> PASSED!
• Fri Aug 11 2023 -> PASSED! on version RELEASE.2023-07-21T21-12-44Z
• Fri Sep 22 2023 -> PASSED! on version RELEASE.2023-09-20T22-49-55Z

Inspired from:

• https://github.com/minio/minio/blob/master/docs/sts/keycloak.md

Steps:

1. Run keycloak:

cd ~
sudo rm -rf keycloak-containers
git clone [email protected]:keycloak/keycloak-containers.git
cd keycloak-containers/server
git checkout 12.0.4
docker build -t jboss/keycloak:12.0.4 .
docker run --rm -p 9080:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin jboss/keycloak:12.0.4

2. Access keycloak at http://localhost:9080

user: admin
password: admin

3. Follow steps and configure keycloak:

* Create a Realm called "myrealm"
* Clients
  * Click on account
  * Settings, set "Valid Redirect URIs" to "*"
  * expand "Advanced Settings" and set "Access Token Lifespan" to 1 Hours
  * Save
* Clients
  * Click on `account`
  * Mappers Tab in the middle
  * Click `Create` button
    * "Name" with "anytext"
    * `Mapper Type` is `User Attribute`
    * `User Attribute` is `policy`
    * Token Claim Name is policy
    * Claim JSON Type is string
  * Click "Create" button
    * Name: Audience
    * Mapper Type: Audience
    * Included Client Audience: security-admin-console
  * Save the two mappers
* Clients > account > Setting > "Service Accounts Enabled" = ON

* Go to Roles

  * Add new Role `admin` with Description `${role_admin}`
  * "Composite Roles" as "ON"
    * "Available Roles" move them to "Associated Roles"
    * Do same for all "Client Roles" from left to right.

* Roles

  * Default Roles

    * "Available Roles" move all to "Real Default Roles"
    * Same for all "Client Roles" all from left to right

* Clients

  * account

    * "Service Account Roles" tab.

       * "Available Roles" move to "Assigned Roles"
       * Same for all "Client Roles"

* Users
  * Create "minio" user
  * Attribute "policy" value "readwrite"
  * Put `minio123` password
  * "Role Mappings" Tab
    * "Available Roles" all from left to right
    * Same for all "Client Roles"
  * Add and Save

4. Run MinIO:

* Clients
  * account
    * Credentials
      * Secret
        * 81f55c5f-137f-4d83-82c5-c7fdc73cad5e
             |
             |_ COPY THIS IN MINIO ENV!!!!!

sudo rm -rf /Volumes/data1/.minio.sys/
sudo rm -rf /Volumes/data2/.minio.sys/
sudo rm -rf /Volumes/data3/.minio.sys/
sudo rm -rf /Volumes/data4/.minio.sys/

export MINIO_IDENTITY_OPENID_CLIENT_SECRET="81f55c5f-137f-4d83-82c5-c7fdc73cad5e"

export MINIO_IDENTITY_OPENID_SCOPES="openid,profile,email"
export MINIO_BROWSER_REDIRECT_URL=http://localhost:9001
export MINIO_SERVER_URL=http://localhost:9000
export MINIO_IDENTITY_OPENID_CLIENT_ID="account"
export MINIO_IDENTITY_OPENID_CONFIG_URL=http://localhost:9080/auth/realms/myrealm/.well-known/openid-configuration
export MINIO_ROOT_USER=minio 
export MINIO_ROOT_PASSWORD=minio123 
minio server /Volumes/data{1...4} --address :9000 --console-address :9001

5. Go to http://localhost:9001/login in INCOGNITO

6. Click Login with SSO:

7. Provide the credentials:

user: minio
password: minio123

8. It is expected that you can see Console UI: