feat(helmfile): Support for SSO federation; see ssoFederation section in functional.yaml.gotmpl for details

docs/enhanced-configuration/idp-federation.md

@@ -82,8 +82,8 @@ The following values are used in this example documentation. Please ensure when
 - `id.opendesk.tld`: hostname for the openDesk IdP, so openDesk is deployed at `opendesk.tld`.
 - `fed-test-idp-realm`: realm name for your organization's IdP.
 - `opendesk-federation-client`: OIDC client for the openDesk federation defined in your organization's IdP.
-- `auto-federate-idp`: Identifier of your organization IdP's configuration within the openDesk Keycloak.
+- `sso-federation-idp`: Identifier of your organization IdP's configuration within the openDesk Keycloak.
-- `auto-federate-flow`: Identifier of the required additional login flow to be created and referenced in the openDesk Keycloak.
+- `sso-federation-flow`: Identifier of the required additional login flow to be created and referenced in the openDesk Keycloak.
 
 ## Keycloak admin console access
 
@@ -125,7 +125,7 @@ If you just created the `fed-test-idp-realm`, you are already in the admin scree
       - `Standard flow`
       - `Direct access grants`
   - Client create wizard page 3:
-    - *Valid Redirect URLs*: `https://id.opendesk.tld/realms/opendesk/broker/auto-federate-idp/endpoint`
+    - *Valid Redirect URLs*: `https://id.opendesk.tld/realms/opendesk/broker/sso-federation-idp/endpoint`
   - When completed with *Save*, you get to the detailed client configuration that also needs some updates:
     - Tab *Settings* > Section *Logout settings*
       - *Front channel logout*: `Off`
@@ -135,17 +135,21 @@ If you just created the `fed-test-idp-realm`, you are already in the admin scree
 
 ## openDesk IdP
 
+> **Note**
+> While manual configuration is possible, an SSO federation can also be configured as part of the deployment.
+> Check `functional.authentication.ssoFederation` section from the `functional.yaml.gotmpl` for details.
+
 The following configuration is taking place in the Keycloak realm `opendesk`.
 
 - *Authentication* > *Create flow*
-  - *Name*: `auto-federate-flow`
+  - *Name*: `sso-federation-flow`
   - *Flow type*: `Basic flow`
   - *Create*
   - *Add execution*: Add `Detect existing broker user` and set it to `Required`
   - *Add step*: `Automatically set existing user` and set it to `Required`
 
 - *Identity providers* > *User-defined* > *OpenID Connect 1.0*
-  - *Alias*: `auto-federate-idp` (used in our example)
+  - *Alias*: `sso-federation-idp` (used in our example)
   - *Display Name*: A descriptive Name, in case you do not forcefully redirect the user to the IdP, that name is shown on the login screen for manual selection.
   - *Use discovery endpoint*: `On` (default)
   - *Discovery endpoint*: `https://idp.organization.tld/realms/fed-test-idp-realm/.well-known/openid-configuration` - this URL may look different if you do not use Keycloak or a different Keycloak version as IdP in your organization
@@ -155,11 +159,11 @@ The following configuration is taking place in the Keycloak realm `opendesk`.
   - *Client ID*: Use the client ID you took from your organization's IdP config (`opendesk-federation-client` in this example)
   - *Client Secret*: Use the secret you took from your organization's IdP config
   - When completed with *Add*, you get to the detailed IdP configuration which at least needs the following update:
-    - *First login flow override*: `auto-federate-flow`
+    - *First login flow override*: `sso-federation-flow`
     - Depending on your organizations IdP and process preferences, additional configuration may be required
 
 - In case you want to forcefully redirect all users to your organization's IdP (disabling login with local openDesk accounts):
   - *Authentication* > `2fa-browser`
     - Click on the cogwheel next to the *Identity Provider Re-director*
-      - *Alias*: `auto-federate-idp`
+      - *Alias*: `sso-federation-idp`
-      - *Default Identity Provider*: `auto-federate-idp`
+      - *Default Identity Provider*: `sso-federation-idp`

docs/getting-started.md

@@ -272,7 +272,8 @@ While openDesk configures the applications with meaningful defaults, you can che
 
 ### Ports
 
-**Note:** If you use `NodePort` for service exposure, you must check your deployment for the actual ports and ensure they are opened where necessary.
+> **Note**<br>
+> If you use `NodePort` for service exposure, you must check your deployment for the actual ports and ensure they are opened where necessary.
 
 #### Web-based user interface
 

helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl

@@ -1,5 +1,5 @@
 {{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
@@ -110,8 +110,13 @@ config:
     clientSessionMaxLifespan: {{ .Values.functional.authentication.realmSettings.clientSessionMaxLifespan }}
     clientOfflineSessionIdleTimeout: {{ .Values.functional.authentication.realmSettings.clientOfflineSessionIdleTimeout }}
     clientOfflineSessionMaxLifespan: {{ .Values.functional.authentication.realmSettings.clientOfflineSessionMaxLifespan }}
+  ssoFederation:
+    enabled: {{ .Values.functional.authentication.ssoFederation.enabled }}
+    enforceFederatedLogin: {{ .Values.functional.authentication.ssoFederation.enforceFederatedLogin }}
+    name: {{ .Values.functional.authentication.ssoFederation.name | quote }}
+    idpDetails: {{ .Values.functional.authentication.ssoFederation.idpDetails | toYaml | nindent 6 }}
   twoFactorSettings:
-    additionalGroups: {{ .Values.functional.authentication.twoFactor.groups }}
+    additionalGroups: {{ .Values.functional.authentication.twoFactor.groups | toYaml | nindent 6 }}
   precreateGroups: [ 'Domain Admins', 'Domain Users', '2fa-users', 'IAM API - Full Access',
                      {{ if .Values.apps.nextcloud.enabled }}'managed-by-attribute-Fileshare', 'managed-by-attribute-FileshareAdmin',{{ end }}
                      {{ if .Values.apps.xwiki.enabled }}'managed-by-attribute-Knowledgemanagement', 'managed-by-attribute-KnowledgemanagementAdmin',{{ end }}

helmfile/environments/default/charts.yaml.gotmpl

@@ -333,7 +333,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-keycloak-bootstrap"
     name: "opendesk-keycloak-bootstrap"
-    version: "2.5.0"
+    version: "2.6.0"
     verify: true
   opendeskStaticFiles:
     # providerCategory: "Platform"

helmfile/environments/default/functional.yaml.gotmpl

@@ -40,6 +40,27 @@ functional:
       clientSessionMaxLifespan: 0
       clientOfflineSessionIdleTimeout: 0
       clientOfflineSessionMaxLifespan: 0
+    # SSO federation allows an external OIDC IdP to authenticate users within openDesk
+    ssoFederation:
+      # Enabling SSO federation requires an upstream IdP specific configuration in `idpDetails` below.
+      enabled: false
+      # When enforcing the federated login all users are immediately redirected to the federated IdP when a login
+      # is requested or required.
+      enforceFederatedLogin: false
+      # Name of the SSO federation, if you do not enforce the login the name is shown as a login option the user can select
+      # within the openDesk login dialog.
+      name: "My upstream IdP"
+      # Configuration details for your upstream IdP, when you configured them manually in the Keycloak UI e.g. for
+      # testing the setup, you can get them from a Keycloak realm export in the `identityProviders` list.
+      # Notes:
+      # - You have to convert the configuration into YAML to apply it below.
+      # - You have to omit the following attributes as they are either defined explicitly above or implicitly by
+      #   the openDesk configuration
+      #  - `displayName`
+      #  - `alias`
+      #  - `firstBrokerLoginFlowAlias`
+      #  - `internalId`
+      idpDetails: {}
 
   externalServices:
     nubus:

helmfile/files/theme/portal/stylesheet.css

@@ -136,13 +136,15 @@
 #kc-login,
 #kc-logout,
 #saveTOTPBtn,
-.pf-c-button.btn-lg,
+.pf-c-button.btn-lg {
-.kc-social-provider-name
+  color: var(--color-opendesk-white) !important;
-{
-  color: var(--color-opendesk-white);
   border: 2px solid;
 }
 
+.kc-social-provider-name {
+  color: var(--color-opendesk-white) !important;
+}
+
 #kc-login:hover,
 #kc-logout:hover,
 #saveTOTPBtn:hover,