Keycloak SSSD and FreeIPA
What is SSSD?
The Systems Security Services Daemon(SSSD) is a plugin that provides acces to multiple identity and authentication providers. Authentication through SSSD will allow LDAP, NIS and freeIPA services to use an offline mode.
For more reading check the Fedora documentation
How does this help with Keycloak?
SSSD integrates with the FreeIPA identity management(idM) server, providing authentication and access control. For Keycloak, we benefit from this integration authenticating against Pluggable Authentication Modules(PAM) and retrieving user data from SSSD.
Most of the comminication between Keycloak and SSSD occurs through read-only D-Bus interfaces. Because of this, the only way to make and update users is through the FreeIPA interface. ( However, I am currently working on a solution to be able to write users to the idM server.). So, by default, SSSD is only set up to import user information, not write it.
How to set up SSSD and D-Bus
This part assume you have an idM server and a Keycloak server working correctly(will provide a tutorial for this at a later date).
Firsy you need to install the sssd-bus RPM:
sudo yum install sssd-bus
Then you need to run the provisioning script from the Keycloak distribution:
Then you need to enable to the SSSD Federation Provider:
sudo yum install jna
sudo yum install https://github.com/keycloak/libunix-dbus-java/releases/download/libunix-dbus-java-0.8.0/libunix-dbus-java-0.8.0-1.fc24.x86_64.rpm
Then you need to restart both Keycloak and SSSD.
Configuring the Federated SSSD Store
After installing SSSD and D-Bus you need to configure the store. To configure your store you need to :
- Navigate to the Admin Console, (either localhost:8080 or whatever your hostname is)
- Create a new realm and name it “test_realm”
- Select User Federation
- Add an SSSD provider
Then you will be able to use FreeIPA to authenticate.