UmbrellaID Workshop: Keycloak
UmbrellaID is the federated identity system for users of large neutron and photon facilities.
ExPaNDS and PaNOSC, in collaboration with GEANT, PSI and, ESRF, have organised the UmbrellaID online workshop, taking place on 3 May, starting at 9:30am until 4:30pm CEST. The event is a one-day training dedicated to the PaN community IT people willing to enable community AAI for their users. At the end of the training, it is expected that participants will have a better understanding of UmbrellaID and the EOSC AAI federation. Moreover, a hands-on session will demonstrate how to integrate PaN services with UmbrellaID using Keycloak.
If you want to actively participate in the hands-on session, you need to have your own Keycloak installation. Please see the following checklist. If you don’t have that, you can still participate in the workshop and also take part in the hands-on session as an observer.
Checklist for the hands-on session:
- An installation of keycloak
- Internet access from the host where they have installed keycloak (ideally direct access, but HTTP proxy and reverse HTTP proxy are also valid)
- DNS resolution for the host with keycloak installed should be in place and should be identical from
everywhere (I.E. the machine should be referenced with the same domain name from the RI/lab intranet and public internet network)
- A valid X509 server certificate
- 9:30 AM → 9:45 AM Welcome. Speaker: Rolf Krahl (Helmholtz-Zentrum Berlin für Materialien und Energie (HZB))
- 9:45 AM → 10:15 AM Introduction to UmbrellaID. Speakers: Björn Erik Abt (PSI – Paul Scherrer Institut), Jean-François Perrin (ESRF)
- What is UmbrellaID
- How to request the integration of a service.
- 10:15 AM → 10:45 AM Overview of the EOSC AAI Federation. Speaker: Christos Kanellopoulos
- 10:45 AM → 11:05 AM Morning Virtual Coffee Break
- 11:05 AM → 11:25 AM Authorisation Model. Speaker: Jean-François Perrin (ESRF). 2 possible models will be presented:
- Local mapping of identities at the SP level.
- Community model.
- 11:25 AM → 12:15 PM SSO protocols: SAML and OIDC. Speakers: Björn Erik Abt (PSI – Paul Scherrer Institut), Christos Kanellopoulos. Introduction of protocols.
- Explanation of the workflows.
- How are the tokens travelling?
- Tools for debugging.
- 12:15 PM → 1:30 PM Lunch
- 1:30 PM → 1:50 PM cURL demonstration of OIDC and the integration in your application. Speakers: Björn Erik Abt (PSI – Paul Scherrer Institut), Christos Kanellopoulos
- 1:50 PM → 2:05 PM Keycloack introduction. Why setting a local SSO? Why Keycloack? Speaker: Jean-François Perrin (ESRF)
- 2:05 PM → 3:35 PM Hands on session: Connecting your keycloack to UmbrellaID. Speaker: Jean-François Perrin (ESRF). In order to get the full benefit from this session, participants need to have access to a running keycloak accessible from the Internet. It should have access to the internet and should be accessible from the internet (ideally direct access, but HTTP proxy and reverse HTTP proxy are also valid scenarios to get these access). DNS resolution should be in place and should be identical from everywhere (I.E. the machine should be referenced with the same domain name from the RI/lab intranet and public internet network), you also need to have a valid X509 server certificate. Your keycloak instance will be linked it to the umbrellaID (acceptance or production) environment to demonstrate the full flow.
- 3:35 PM → 3:50 PM Afternoon Virtual Coffee Break
- 3:50 PM → 4:10 PM Moonshot. Speaker: Björn Erik Abt (PSI – Paul Scherrer Institut)
- Introduction to non web authentication
- Demonstration of Moonshot
- 4:10 PM → 4:30 PM Wrapup and Q&A
Please find more details about the event on the dedicated page on Github.