Replies: 2 comments
-
|
Does keycloak require anything special to read the subjectalternativename other=edipi from cert and match to a user in leap? Seems like that is my hangup |
Beta Was this translation helpful? Give feedback.
-
|
I have tried changing these headers around with and with the X in nginx, matching it in keycloak and and I've also used the X-SSL-CERT in the docker-compose and tried the variable name from nginx ssl_client_escaped_cert and I still dont see anything in the headers in developer tools and the logs for keycloak still say empty header and userId=null. I even made the / directive do a return 200 and output the variables just to make sure nginx was reading them (it is). It just seems like nothing is getting sent to keycloak. I've figured out I can use employeenumber and employeeid as ldap attributes if I can ever get keycloak to see the headers |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Okay so this is causing me to pull my hair out and I really hope someone can help with this even if we have to collab on Teams or something. I've tried many things to get CAC auth working and still no dice.
A little backstory is I'm using LDAP to sync users and I'm trying to have nginx prompt the user for cert and than use the subjectAlternativeName other name (the users EDIPI) to compare against LDAP userPrincipalName and grant access.
I get prompted for the cert and pass it through but keycloak just logs userID=null and of course I don't get access to STIG Manager.
I've attached many screenshots of the custom mappers and attributes I'm syncing and my browser flow. I'm sure I've messed up somewhere in this process but maybe some fresh eyes could help?
I'm under the assumption now that maybe that create-x509-user.jar file is needed someway to accomplish this? However, I've never been able to get that to work without causing an error to keycloak and I think it only works for version 19/20? Does someone have an update to this, and is it even needed?
Many AI's seem to think I need custom LUA in nginx to get the EDIPI properly from the CAC cert, or a custom SPI/jar file to do it on the keycloak side.
`
networks:
default:
name: stigman-net
external: false
services:
nginx:
image: docker.io/library/nginx:latest
#image: registry1.dso.mil/ironbank/opensource/nginx/nginx:1.26.2
volumes:
- /podman/stigman/nginx/nginx.conf:/etc/nginx/nginx.conf:Z
- ./nginx/index.html:/usr/share/nginx/html/index.html:Z
- /podman/stigman/certs/localhost/stigman.usafricom.mil.crt:/etc/nginx/client.crt:Z
- /podman/stigman/certs/localhost/stigman.usafricom.mil.key:/etc/nginx/client.key:Z
- /podman/stigman/certs/dod/dod_CAs.pem:/etc/nginx/dod-ca.pem:Z
ports:
- "443:443"
keycloak:
image: quay.io/keycloak/keycloak:25.0.4
#image: registry1.dso.mil/ironbank/opensource/keycloak/keycloak:25.0.4
environment:
- KEYCLOAK_ADMIN=admin
- KEYCLOAK_ADMIN_PASSWORD=Pa55w0rd
- KC_PROXY=edge
- KC_PROXY_PROTOCOL_ENABLED=true
- KC_PROXY_HEADERS=xforwarded
- KC_PROXY_ADDRESS_FORWARDING=true
#- KC_HOSTNAME=stigman.server.com
- KC_HOSTNAME_URL=https://stigman.server.com/kc/
- KC_HOSTNAME_ADMIN_URL=https://stigman.server.com/kc/
- KC_SPI_X509CERT_LOOKUP_PROVIDER=nginx
- KC_SPI_X509CERT_LOOKUP_NGINX_SSL_CLIENT_CERT=SSL-CLIENT-CERT
- KC_HTTPS_CLIENT_AUTH=required
- KC_HTTPS_PROTOCOLS=TLSv1.3,TLSv1.2
- KC_SPI_TRUSTSTORE_FILE_FILE=/tmp/keystore.jks
- KC_SPI_TRUSTSTORE_FILE_PASSWORD=password
- KC_METRICS_ENABLED=true
command: start --import-realm --optimized --hostname-strict=false
volumes:
- /podman/stigman/certs/dod/keystore.jks:/tmp/keystore.jks:Z
- /podman/stigman/kc/stigman_realm.json:/opt/keycloak/data/import/stigman_realm.json:Z
#- /podman/stigman/kc/create-x509-user.jar:/opt/keycloak/providers/create-x509-user.jar:Z
# uncomment below to persist Keycloak data
- /podman/stigman/kc/h2:/opt/keycloak/data/h2:Z
ports:
- "8080:8080"
- "9000:9000"
stigman:
image: registry1.dso.mil/ironbank/opensource/stig-manager/stig-manager:1.5.3
environment:
- STIGMAN_OIDC_PROVIDER=http://stigman.server.com:8080/realms/stigman
- STIGMAN_CLIENT_OIDC_PROVIDER=https://stigman.server.com/realms/stigman
- STIGMAN_CLASSIFICATION=U
- STIGMAN_DB_HOST=mysql
- STIGMAN_DB_USER=stigman
- STIGMAN_DB_PASSWORD=stigmanpw
# uncomment below to fetch current STIG library from DISA and import it
- STIGMAN_INIT_IMPORT_STIGS=true
init: true
ports:
- "54000:54000"
mysql:
#image: registry1.dso.mil/ironbank/opensource/mysql/mysql8:8.4.4
image: docker.io/library/mysql:latest
environment:
- MYSQL_ROOT_PASSWORD=rootpw
- MYSQL_USER=stigman
- MYSQL_DATABASE=stigman
- MYSQL_PASSWORD=stigmanpw
- MYSQL_AUTHENTICATION_PLUGIN=mysql_native_password
command: --innodb-buffer-pool-size=16G --sort_buffer_size=64M
volumes:
- /podman/stigman/mysql:/var/lib/mysql:Z
ports:
- "3306:3306"
`
`
events {
worker_connections 4096; ## Default: 1024
}
pid /var/cache/nginx/nginx.pid;
http {
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log warn;
server {
listen 443 ssl;
server_name stigman.server.com ;
}
`
Beta Was this translation helpful? Give feedback.
All reactions