<div dir="ltr">To elaborate I could eventually see us having a big demo setup in the form of:<div><br></div><div>* Keycloak or RH-SSO box</div><div>* Database box</div><div>* FreeIPA box</div><div>* Active Directory box</div><div>* Some SAML provider</div><div>* Some OIDC provider</div><div>* Fedora workstation</div><div>* Windows workstation</div><div><br></div><div>Everything ready to go to show Keycloak as a fully capable identity federation platform.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On 14 September 2016 at 09:32, Stian Thorgersen <span dir="ltr"><<a href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I want full desktop and show user login via desktop login, not Kerberos client. So full Gnome is required. Also, I think the DNS setup as well as orchestration may be simpler with Vagrant than Docker.<div><br></div><div>We also may want to extend this to include good old Microsoft software in the form of Windows and Active Directory. In that case Docker is a show stopper and Vagrant/VMs is the only option.</div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On 13 September 2016 at 21:46, Marek Posolda <span dir="ltr"><<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span>On 13/09/16 21:10, Bruno Oliveira da Silva wrote:<br>
> My 2 cents on it. Unless we have any strong argument for doing this,<br>
> let's move forward with Docker. We already have a repository for this<br>
> and I'm not sure if we have bandwidth to maintain 2 distinct repositories.<br>
><br>
> Btw I'm curious, which real world scenario you could not reproduce with<br>
> Docker?<br>
</span>I guess SPNEGO login with Firefox is the example of that scenario?<br>
<br>
If you want workstation with Kerberos + SPNEGO, you will need to<br>
configure kerberos client and your Firefox and then run FF inside docker<br>
container and display it "locally" on your laptop. Or is it something<br>
like the "propagation" of X from docker to your laptop possible? If yes,<br>
then everything is doable with docker though.<br>
<span><font color="#888888"><br>
Marek<br>
</font></span><div><div><br>
><br>
> On 2016-09-13, Thomas Raehalme wrote:<br>
>> How about setting up multiple VMs with Vagrant but handling all software<br>
>> components with Docker?<br>
>><br>
>> Best of both worlds and also a simulation of the real world (which could<br>
>> perhaps be used as a reference).<br>
>><br>
>> Best regards,<br>
>> Thomas<br>
>><br>
>> On Sep 13, 2016 5:46 PM, "Scott Rossillo" <<a href="mailto:srossillo@smartling.com" target="_blank">srossillo@smartling.com</a>> wrote:<br>
>><br>
>>> Vagrant leaves funny taste in my mouth. Docker Compose to orchestrate<br>
>>> things seems like a better option.<br>
>>><br>
>>> Scott Rossillo<br>
>>> Smartling | Senior Software Engineer<br>
>>> <a href="mailto:srossillo@smartling.com" target="_blank">srossillo@smartling.com</a><br>
>>><br>
>>> On Sep 13, 2016, at 10:39 AM, Bruno Oliveira da Silva <<a href="mailto:bruno@abstractj.org" target="_blank">bruno@abstractj.org</a>><br>
>>> wrote:<br>
>>><br>
>>> My question is: Docker or Vagrant?<br>
>>><br>
>>> If we have plans to showcase SSSD Federation provider + things like<br>
>>> start/stop sssd service to demonstrate the SSSD provider won't be<br>
>>> enabled. I would say that Vagrant is easier and we can benefit from<br>
>>> these boxes[1], otherwise we just stick with Marek's work.<br>
>>><br>
>>> I will give DBus on Docker a second try, but last time I checked wasn't<br>
>>> fun.<br>
>>><br>
>>> [1] - <a href="https://github.com/freeipa/freeipa-workshop" rel="noreferrer" target="_blank">https://github.com/freeipa/fre<wbr>eipa-workshop</a><br>
>>><br>
>>> On 2016-09-13, Stian Thorgersen wrote:<br>
>>><br>
>>> Forgot to add two things:<br>
>>><br>
>>> * DNS setup - we want proper DNS setup on the machines, which would be<br>
>>> required for the Kerberos stuff to work properly<br>
>>> * HTTPS - optional, but would be great if it also had HTTPS configured<br>
>>><br>
>>> On 13 September 2016 at 09:24, Marek Posolda <<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>> wrote:<br>
>>><br>
>>> +1<br>
>>><br>
>>> Few more things and tips (you may be already aware of them, but still..<br>
>>> Hope some of them are useful :) :<br>
>>><br>
>>> - My docker image [1] already contains FreeIPA server and Keycloak server<br>
>>> pre-configured with LDAP+Kerberos federation provider to use it. Thing is<br>
>>> that both Keycloak+FreeIPA are on same machine, which is likely not the<br>
>>> best for show production setup. The workstation setup needs to be done on<br>
>>> your local machine (so you need KErberos client + Firefox setup on your<br>
>>> laptop. That's sufficient for testing, but probably also not ideal for<br>
>>> showcase).<br>
>>><br>
>>> - In addition to FreeIPA docker images for server, FreeIPA has also docker<br>
>>> image for client setup. See for example [2] . I am not 100% sure, but I<br>
>>> believe that if you run this docker image and point to the already running<br>
>>> "server" image, you will gain also all the things like PAM setup, login to<br>
>>> the workstation with Kerberos credentials, and automatically retrieved<br>
>>> kerberos ticket during login. Hence you just login to workstation, open<br>
>>> firefox and you are authenticated to Keycloak. No need to manually run<br>
>>> "kinit".<br>
>>><br>
>>><br>
>>> The workstation will need to be a virtual machine rather than container to<br>
>>> add X support. So IMO we should just use Vagrant and have FreeIPA and<br>
>>> use Vagrantfile to install Fedora + FreeIPA.<br>
>>><br>
>>><br>
>>><br>
>>> - If Keycloak and FreeIPA server are on different workstations, then:<br>
>>> -- The Keycloak server may also need FreeIPA client installed. Or at least<br>
>>> kerberos client installed with proper setup in /etc/krb5.conf pointing to<br>
>>> FreeIPA kerberos realm and proper DNS setup working with FreeIPA.<br>
>>><br>
>>><br>
>>><br>
>>> -- Also for different servers, you will likely need to add HTTP kerberos<br>
>>> principal for the server where keycloak is running. For example if FreeIPA<br>
>>> is on "<a href="http://freeipa.example.org" rel="noreferrer" target="_blank">freeipa.example.org</a>" and keycloak is on "<a href="http://keycloak.example.org" rel="noreferrer" target="_blank">keycloak.example.org</a>",<br>
>>> you will need the principal like HTTP/<a href="mailto:keycloak.example.org@KEYCLOAK.ORG" target="_blank">keycloak.example.org@KEYC<wbr>LOAK.ORG</a><br>
>>> <HTTP/<a href="mailto:keycloak.example.org@keycloak.org" target="_blank">keycloak.example.org@key<wbr>cloak.org</a>> .<br>
>>> This corresponds to LDAP principal under "cn=services,cn=accounts,dc=<br>
>>> freeipa,dc=example,dc=org"<br>
>>> . Maybe FreeIPA has it documented somewhere and/or it's easily possible to<br>
>>> add new HTTP server principal through FreeIPA admin console. You will also<br>
>>> need keytab exported with the credentials of this principal.<br>
>>> Note this step is not needed if Keycloak and FreeIPA are on same machine<br>
>>> as FreeIPA server automatically has HTTP principal for it's own machine<br>
>>> (something like HTTP/<a href="mailto:freeipa.example.org@KEYCLOAK.ORG" target="_blank">freeipa.example.org@KEYCL<wbr>OAK.ORG</a><br>
>>> <HTTP/<a href="mailto:freeipa.example.org@keycloak.org" target="_blank">freeipa.example.org@keyc<wbr>loak.org</a>> for the example<br>
>>> above), to allow login to FreeIPA admin console with kerberos OOTB.<br>
>>><br>
>>><br>
>>> We should really figure out how to do this on separate machines, so I think<br>
>>> going that way would be best even though it's harder to do.<br>
>>><br>
>>><br>
>>><br>
>>><br>
>>> [1] <a href="https://github.com/mposolda/keycloak-freeipa-docker/" rel="noreferrer" target="_blank">https://github.com/mposolda/ke<wbr>ycloak-freeipa-docker/</a><br>
>>> [2] <a href="https://github.com/adelton/docker-freeipa/tree/fedora-22-client" rel="noreferrer" target="_blank">https://github.com/adelton/doc<wbr>ker-freeipa/tree/fedora-22-cli<wbr>ent</a><br>
>>><br>
>>> Marek<br>
>>><br>
>>><br>
>>> On 13/09/16 08:07, Stian Thorgersen wrote:<br>
>>><br>
>>> I'd like to have a simple way to demo LDAP and Kerberos support. To that<br>
>>> end we should add a Vagrant setup with the following:<br>
>>><br>
>>> * Keycloak server<br>
>>> * MySQL or Postgres<br>
>>> * FreeIPA<br>
>>> * Workstation with Kerberos authentication (needs X and Firefox installed)<br>
>>><br>
>>> The Keycloak server should already be configured to use the FreeIPA<br>
>>> server as a user federation provider (using LDAP and Kerberos). The<br>
>>> workstation can be co-located with FreeIPA server if it makes things much<br>
>>> simpler, but it should be possible to login to the workstation with<br>
>>> Kerberos. Firefox should be pre-configured for Kerberos to work both on<br>
>>> Keycloak login and FreeIPA admin console.<br>
>>><br>
>>> I want a proper database and a web based client for the database so it's<br>
>>> simple to inspect the database.<br>
>>><br>
>>> Bruno has already volunteered to look into this, but first we should make<br>
>>> sure this is the setup we'd like to be able to showcase.<br>
>>><br>
>>><br>
>>><br>
>>><br>
>>><br>
>>> ______________________________<wbr>_________________<br>
>>> keycloak-dev mailing list<br>
>>> <a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a><br>
>>> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailma<wbr>n/listinfo/keycloak-dev</a><br>
>>><br>
>>><br>
>>><br>
>>> --<br>
>>><br>
>>> abstractj<br>
>>> PGP: 0x84DC9914<br>
>>> ______________________________<wbr>_________________<br>
>>> keycloak-dev mailing list<br>
>>> <a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a><br>
>>> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailma<wbr>n/listinfo/keycloak-dev</a><br>
>>><br>
>>><br>
>>><br>
>>> ______________________________<wbr>_________________<br>
>>> keycloak-dev mailing list<br>
>>> <a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a><br>
>>> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailma<wbr>n/listinfo/keycloak-dev</a><br>
>>><br>
> --<br>
><br>
> abstractj<br>
> PGP: 0x84DC9914<br>
> ______________________________<wbr>_________________<br>
> keycloak-dev mailing list<br>
> <a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a><br>
> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailma<wbr>n/listinfo/keycloak-dev</a><br>
<br>
<br>
______________________________<wbr>_________________<br>
keycloak-dev mailing list<br>
<a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailma<wbr>n/listinfo/keycloak-dev</a><br>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div>