diff --git a/docs/enhanced-configuration/idp-federation.md b/docs/enhanced-configuration/idp-federation.md index e06d0a53..a0a44f18 100644 --- a/docs/enhanced-configuration/idp-federation.md +++ b/docs/enhanced-configuration/idp-federation.md @@ -82,8 +82,8 @@ The following values are used in this example documentation. Please ensure when - `id.opendesk.tld`: hostname for the openDesk IdP, so openDesk is deployed at `opendesk.tld`. - `fed-test-idp-realm`: realm name for your organization's IdP. - `opendesk-federation-client`: OIDC client for the openDesk federation defined in your organization's IdP. -- `auto-federate-idp`: Identifier of your organization IdP's configuration within the openDesk Keycloak. -- `auto-federate-flow`: Identifier of the required additional login flow to be created and referenced in the openDesk Keycloak. +- `sso-federation-idp`: Identifier of your organization IdP's configuration within the openDesk Keycloak. +- `sso-federation-flow`: Identifier of the required additional login flow to be created and referenced in the openDesk Keycloak. ## Keycloak admin console access @@ -125,7 +125,7 @@ If you just created the `fed-test-idp-realm`, you are already in the admin scree - `Standard flow` - `Direct access grants` - Client create wizard page 3: - - *Valid Redirect URLs*: `https://id.opendesk.tld/realms/opendesk/broker/auto-federate-idp/endpoint` + - *Valid Redirect URLs*: `https://id.opendesk.tld/realms/opendesk/broker/sso-federation-idp/endpoint` - When completed with *Save*, you get to the detailed client configuration that also needs some updates: - Tab *Settings* > Section *Logout settings* - *Front channel logout*: `Off` @@ -135,17 +135,21 @@ If you just created the `fed-test-idp-realm`, you are already in the admin scree ## openDesk IdP +> **Note** +> While manual configuration is possible, an SSO federation can also be configured as part of the deployment. +> Check `functional.authentication.ssoFederation` section from the `functional.yaml.gotmpl` for details. + The following configuration is taking place in the Keycloak realm `opendesk`. - *Authentication* > *Create flow* - - *Name*: `auto-federate-flow` + - *Name*: `sso-federation-flow` - *Flow type*: `Basic flow` - *Create* - *Add execution*: Add `Detect existing broker user` and set it to `Required` - *Add step*: `Automatically set existing user` and set it to `Required` - *Identity providers* > *User-defined* > *OpenID Connect 1.0* - - *Alias*: `auto-federate-idp` (used in our example) + - *Alias*: `sso-federation-idp` (used in our example) - *Display Name*: A descriptive Name, in case you do not forcefully redirect the user to the IdP, that name is shown on the login screen for manual selection. - *Use discovery endpoint*: `On` (default) - *Discovery endpoint*: `https://idp.organization.tld/realms/fed-test-idp-realm/.well-known/openid-configuration` - this URL may look different if you do not use Keycloak or a different Keycloak version as IdP in your organization @@ -155,11 +159,11 @@ The following configuration is taking place in the Keycloak realm `opendesk`. - *Client ID*: Use the client ID you took from your organization's IdP config (`opendesk-federation-client` in this example) - *Client Secret*: Use the secret you took from your organization's IdP config - When completed with *Add*, you get to the detailed IdP configuration which at least needs the following update: - - *First login flow override*: `auto-federate-flow` + - *First login flow override*: `sso-federation-flow` - Depending on your organizations IdP and process preferences, additional configuration may be required - In case you want to forcefully redirect all users to your organization's IdP (disabling login with local openDesk accounts): - *Authentication* > `2fa-browser` - Click on the cogwheel next to the *Identity Provider Re-director* - - *Alias*: `auto-federate-idp` - - *Default Identity Provider*: `auto-federate-idp` + - *Alias*: `sso-federation-idp` + - *Default Identity Provider*: `sso-federation-idp` diff --git a/docs/getting-started.md b/docs/getting-started.md index c1442efa..f20242da 100644 --- a/docs/getting-started.md +++ b/docs/getting-started.md @@ -272,7 +272,8 @@ While openDesk configures the applications with meaningful defaults, you can che ### Ports -**Note:** If you use `NodePort` for service exposure, you must check your deployment for the actual ports and ensure they are opened where necessary. +> **Note**
+> If you use `NodePort` for service exposure, you must check your deployment for the actual ports and ensure they are opened where necessary. #### Web-based user interface diff --git a/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl b/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl index ea3eccf4..c25f9f27 100644 --- a/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl +++ b/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl @@ -1,5 +1,5 @@ {{/* -SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH +SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH SPDX-License-Identifier: Apache-2.0 */}} --- @@ -110,8 +110,13 @@ config: clientSessionMaxLifespan: {{ .Values.functional.authentication.realmSettings.clientSessionMaxLifespan }} clientOfflineSessionIdleTimeout: {{ .Values.functional.authentication.realmSettings.clientOfflineSessionIdleTimeout }} clientOfflineSessionMaxLifespan: {{ .Values.functional.authentication.realmSettings.clientOfflineSessionMaxLifespan }} + ssoFederation: + enabled: {{ .Values.functional.authentication.ssoFederation.enabled }} + enforceFederatedLogin: {{ .Values.functional.authentication.ssoFederation.enforceFederatedLogin }} + name: {{ .Values.functional.authentication.ssoFederation.name | quote }} + idpDetails: {{ .Values.functional.authentication.ssoFederation.idpDetails | toYaml | nindent 6 }} twoFactorSettings: - additionalGroups: {{ .Values.functional.authentication.twoFactor.groups }} + additionalGroups: {{ .Values.functional.authentication.twoFactor.groups | toYaml | nindent 6 }} precreateGroups: [ 'Domain Admins', 'Domain Users', '2fa-users', 'IAM API - Full Access', {{ if .Values.apps.nextcloud.enabled }}'managed-by-attribute-Fileshare', 'managed-by-attribute-FileshareAdmin',{{ end }} {{ if .Values.apps.xwiki.enabled }}'managed-by-attribute-Knowledgemanagement', 'managed-by-attribute-KnowledgemanagementAdmin',{{ end }} @@ -120,7 +125,7 @@ config: {{ if .Values.apps.jitsi.enabled }}'managed-by-attribute-Videoconference',{{ end }} {{ if .Values.apps.oxAppSuite.enabled }}'managed-by-attribute-Groupware',{{ end }} {{ if .Values.apps.notes.enabled }}'managed-by-attribute-Notes',{{ end }} - ] + ] opendesk: # We use client specific scopes as we bind them to Keycloak role membership which itself is linked diff --git a/helmfile/environments/default/charts.yaml.gotmpl b/helmfile/environments/default/charts.yaml.gotmpl index d3623221..10143145 100644 --- a/helmfile/environments/default/charts.yaml.gotmpl +++ b/helmfile/environments/default/charts.yaml.gotmpl @@ -333,7 +333,7 @@ charts: registry: "registry.opencode.de" repository: "bmi/opendesk/components/platform-development/charts/opendesk-keycloak-bootstrap" name: "opendesk-keycloak-bootstrap" - version: "2.5.0" + version: "2.6.0" verify: true opendeskStaticFiles: # providerCategory: "Platform" diff --git a/helmfile/environments/default/functional.yaml.gotmpl b/helmfile/environments/default/functional.yaml.gotmpl index a851ce59..d1fd7890 100644 --- a/helmfile/environments/default/functional.yaml.gotmpl +++ b/helmfile/environments/default/functional.yaml.gotmpl @@ -40,6 +40,27 @@ functional: clientSessionMaxLifespan: 0 clientOfflineSessionIdleTimeout: 0 clientOfflineSessionMaxLifespan: 0 + # SSO federation allows an external OIDC IdP to authenticate users within openDesk + ssoFederation: + # Enabling SSO federation requires an upstream IdP specific configuration in `idpDetails` below. + enabled: false + # When enforcing the federated login all users are immediately redirected to the federated IdP when a login + # is requested or required. + enforceFederatedLogin: false + # Name of the SSO federation, if you do not enforce the login the name is shown as a login option the user can select + # within the openDesk login dialog. + name: "My upstream IdP" + # Configuration details for your upstream IdP, when you configured them manually in the Keycloak UI e.g. for + # testing the setup, you can get them from a Keycloak realm export in the `identityProviders` list. + # Notes: + # - You have to convert the configuration into YAML to apply it below. + # - You have to omit the following attributes as they are either defined explicitly above or implicitly by + # the openDesk configuration + # - `displayName` + # - `alias` + # - `firstBrokerLoginFlowAlias` + # - `internalId` + idpDetails: {} externalServices: nubus: diff --git a/helmfile/files/theme/portal/stylesheet.css b/helmfile/files/theme/portal/stylesheet.css index a6db06bd..c59b659a 100644 --- a/helmfile/files/theme/portal/stylesheet.css +++ b/helmfile/files/theme/portal/stylesheet.css @@ -136,13 +136,15 @@ #kc-login, #kc-logout, #saveTOTPBtn, -.pf-c-button.btn-lg, -.kc-social-provider-name -{ - color: var(--color-opendesk-white); +.pf-c-button.btn-lg { + color: var(--color-opendesk-white) !important; border: 2px solid; } +.kc-social-provider-name { + color: var(--color-opendesk-white) !important; +} + #kc-login:hover, #kc-logout:hover, #saveTOTPBtn:hover,