WARNING

This page is still under development. Do not rely on it for your testing.

Overview

In koha-testing-docker we include Keycloak, an open source identity and access management solution, to test single-sign on (SSO).

When using koha-testing-docker, include the docker-compose.sso.yml file when you want to use Keycloak.

Keycloak

Login

Go to http://sso:8082/auth/admin
Login using the credentials from docker-compose.sso.yml

Create Realm

In the top left corner, click "master", then click "Create Realm"
Type "test" into "Realm name" then click "Create"
On the left side, click "Realm settings"
Click the links for "OpenID Endpoint Configuration" and "SAML 2.0 Identity Provider Metadata"

Create User

On the left side, click "Users"
Click "Create new user"
At "Username" type "kohadev"
At "Email", type "kohadev@koha-community.org"
At "First name", type "Koha"
At "Last name", type "Dev"
Click "Create"
Click "Credentials"
Click "Set password"
Choose a password for your user and fill in "Password" and "Password confirmation"
Change the "Temporary" slider from "On" to "Off"
Click "Save"
Click "Save password"

Create client: OpenID Connect

On the left side, click "Clients"
Click "Create client"
At "Client ID", type "kohaoidc"
Click "Next"
Change the "Client authentication" slider from "Off" to "On"
Click "Next"
Scroll down to "Valid redirect URIs"
Add relevant URIs
1. e.g. http://localhost:8080/*
2. e.g. http://localhost:8081/*
Click "Save"

Create client: SAML

N/A (this is handled later in the process)

Extra Notes

To log in to a user account in the "test" realm, use an Incognito browser to visit http://sso:8082/auth/realms/test/account/#/

Koha

OpenID Connect

Go to http://localhost:8081/
Log into the Koha staff interface
Go to http://localhost:8081/cgi-bin/koha/admin/identity_providers.pl
Click "New identity provider"
At "Code", type "test"
At "Description", type "Test"
At "Protocol", choose "OIDC"
Click "Add default OIDC configuration"
Replace "<enter client id>" with "kohaoidc"
Go to Keycloak
1. On the left side, click "Clients"
2. Choose "kohaoidc"
3. Click "Credentials"
4. Click the "eyeball icon" next to "Client secret"
5. Copy the unmasked data and go back to Koha
Replace "<enter client secret>" with copied data from previous step
Go to Keycloak
1. On the left side, click "Realm settings"
2. Click "OpenID Endpoint Configuration"
3. Copy this URL (e.g. http://sso:8082/auth/realms/test/.well-known/openid-configuration)
4. Go back to Koha
Replace "<enter openid configuration endpoint>" with copied data from previous step
Click "Add default OIDC mapping"
At "Domain", type "*"
Change "Allow OPAC" to "Yes"
Change "Allow staff" to "Yes"
Change "Auto register" to "Yes"
Change "Update on login" to "Yes"
Click "Submit"
Restart your Koha
1. e.g. koha-plack --restart kohadev
Update http://localhost:8081/cgi-bin/koha/admin/preferences.pl?op=search&searchfield=OPACBaseURL to "http://localhost:8080"
Update http://localhost:8081/cgi-bin/koha/admin/preferences.pl?op=search&searchfield=staffClientBaseURL to "http://localhost:8081"

SAML

See Shibboleth Configuration and Shibboleth2.xml although the former appears to be out of date
1. apt-get update
2. apt-get install shibboleth-sp-common libapache2-mod-shib
3. cd /etc/shibboleth
4. shib-keygen -f
5. cp shibboleth2.xml shibboleth2.xml.bak
6. Go to "test" realm in Keycloak (e.g. http://sso:8082/auth/admin/master/console/#/test)
  1. On the left side, click "Realm settings"
  2. Click "SAML 2.0 Identity Provider Metadata"
  3. Copy this URL
7. wget http://sso:8082/auth/realms/test/protocol/saml/descriptor
8. mv descriptor keycloak.xml
9. vim shibboleth2.xml
  1. Change "handlerSSL" from "true" to "false"
  2. Change "https://sp.example.org/shibboleth" to "http://localhost:8080/shibboleth"
  3. Change "https://idp.example.org/idp/shibboleth" to "http://sso:8082/auth/realms/test"
    1. Remove "discoveryProtocol" and "discoveryURL"
  4. Add <MetadataProvider type="XML" validate="false" path="keycloak.xml"/>
    1. NOTE: This will be around the commented out MetadataProvider examples
10. vim attribute-map.xml
  1. Add the following:
  2. <Attribute name="urn:oid:1.2.840.113549.1.9.1" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="email"/> <Attribute name="urn:oid:2.5.4.4" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="surname"/> <Attribute name="urn:oid:2.5.4.42" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="givenName"/>
11. service shibd restart
12. vim /etc/apache2/sites-enabled/kohadev.conf
  1. Under the OPAC VirtualHost, add the following:
    1. <Location "/"> AuthType shibboleth Require shibboleth ShibUseEnvironment Off ShibUseHeaders On </Location>
13. service apache2 restart
14. Go to http://localhost:8080/Shibboleth.sso/Metadata
15. Go to "test" realm in Keycloak (e.g. http://sso:8082/auth/admin/master/console/#/test)
  1. On the left side, click "Clients"
  2. Click "Import client"
  3. Click "Browse" and choose the downloaded Metadata file from above
  4. Click "Save"
  5. Click "Client scopes"
  6. Click "http://localhost:8080/shibboleth-dedicated"
  7. Click "Add predefined mapper"
  8. Tick "X500 email", "X500 givenName", and "X500 surname"
  9. Click "Add"
16. vim /etc/koha/sites/kohadev/koha-conf.xml
17. Change "useshibboleth" from 0 to 1
18. Add the following on the next line below "useshibboleth"
  1. <shibboleth> <matchpoint>userid</matchpoint> <mapping> <userid is="email"></userid> <surname is="surname"></surname> <firstname is="givenName"></firstname> </mapping> </shibboleth>
19. echo 'flush_all' | nc -q 1 memcached 11211
20. koha-plack --restart kohadev
NOTE: Koha is hard-coded to use HTTPS for SAML, so you might need to adjust the URL manually to http://localhost:8080/Shibboleth.sso/Login?target=http://localhost:8080/cgi-bin/koha/opac-main.pl
1. NOTE: In production, always use HTTPS. We're not using HTTPS here only because we're doing minimal functional local testing.

Testing SSO

Contents