Loomio
Fri 31 May 2019 10:37PM

Is SSO compatible with selfhosted Loomio ?

J Jordan Public Seen by 77

Hi,

I would like to run dockerized Loomio with others services like nextcloud / rocketchat with different domain behind a nginx-proxy, with SSO (manage by keycloak).

Is it possible to configure a SSO configuration for loomio ? I don't find any information about it :(
Thanks !

K

Kris Wed 25 Sep 2019 9:16AM

Pong.

This is in our env:

SAML_IDP_METADATA_URL=https://account.theborderland.se/auth/realms/master/protocol/saml/descriptor
SAML_ISSUER=talk
SAML_APP_KEY=1

Create a client in keycloak with, in this instance, client id set to "talk", and set client protocol to "saml". Maybe turn off client signature required. Watch the logs and flip switches in keycloak until it works. I didn't write down what I did of course, but this should bring you close.

J

Jordan Wed 25 Sep 2019 10:02AM

It works ! Thank you very much for your help !
I have two last questions if I can abuse your kindness:

  • Loomio makes copies of users in his database, no way to disable this ? I guess Loomio need it, but it's a duplication of information.

  • As in talk.theborderland, how to disable sign in on Loomio and force use SAML for user registration ?

Thank you again, love Loomio and Love u :D

RG

Robert Guthrie Wed 25 Sep 2019 10:24PM

Hahah love the love in the room!

Yes, it's essential to create user records in the loomio database.

Hrrmm it looks the the default_env in loomio-deploy needs some updating.

FEATURES_DISABLE_EMAIL_LOGIN
FEATURES_DISABLE_CREATE_USER
FEATURES_DISABLE_CREATE_GROUP
FEATURES_DISABLE_PUBLIC_GROUPS
FEATURES_DISABLE_AHOY_TRACKING
FEATURES_DISABLE_HELP_LINK
FEATURES_DISABLE_EXAMPLE_CONTENT

You're after the top one: Disable email login will do what you're asking for.

So that would be

FEATURES_DISABLE_EMAIL_LOGIN=1

Feel like making a PR modifying the default_env file with the SAML envs you use and the above and adding the best description you can for them. Just mentioning the keys would be a big improvement.

J

Jordan Thu 19 Mar 2020 11:04AM

Hi @Kris,

Can you share your Keycloak configuration for Loomio client ? :D (in keycloak, "Client", then "Export")

Thank you very much!

H

Hugi Ásgeirsson Sat 21 Mar 2020 11:01PM

Here you go @Jordan

{
    "clientId": "talk",
    "name": "Borderland Talk",
    "rootUrl": "https://talk.theborderland.se",
    "baseUrl": "/explore",
    "surrogateAuthRequired": false,
    "enabled": true,
    "alwaysDisplayInConsole": false,
    "clientAuthenticatorType": "client-secret",
    "redirectUris": [
        "/*"
    ],
    "webOrigins": [],
    "notBefore": 0,
    "bearerOnly": false,
    "consentRequired": false,
    "standardFlowEnabled": true,
    "implicitFlowEnabled": false,
    "directAccessGrantsEnabled": false,
    "serviceAccountsEnabled": false,
    "publicClient": false,
    "frontchannelLogout": true,
    "protocol": "saml",
    "attributes": {
        "saml.assertion.signature": "true",
        "saml.force.post.binding": "true",
        "saml.multivalued.roles": "false",
        "saml.encrypt": "false",
        "saml.server.signature": "true",
        "saml.server.signature.keyinfo.ext": "true",
        "exclude.session.state.from.auth.response": "false",
        "saml.signing.certificate": "OURCERT",
        "saml.signature.algorithm": "RSA_SHA256",
        "saml_force_name_id_format": "false",
        "tls.client.certificate.bound.access.tokens": "false",
        "saml.client.signature": "false",
        "saml.authnstatement": "true",
        "display.on.consent.screen": "false",
        "saml_name_id_format": "username",
        "saml.signing.private.key": "OURKEY",
        "saml.onetimeuse.condition": "false",
        "saml.server.signature.keyinfo.xmlSigKeyInfoKeyNameTransformer": "KEY_ID",
        "saml_signature_canonicalization_method": "http://www.w3.org/2001/10/xml-exc-c14n#"
    },
    "authenticationFlowBindingOverrides": {},
    "fullScopeAllowed": true,
    "nodeReRegistrationTimeout": -1,
    "protocolMappers": [
        {
            "name": "X500 email",
            "protocol": "saml",
            "protocolMapper": "saml-user-property-mapper",
            "consentRequired": false,
            "config": {
                "attribute.nameformat": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
                "user.attribute": "email",
                "friendly.name": "email",
                "attribute.name": "urn:oid:1.2.840.113549.1.9.1"
            }
        },
        {
            "name": "role list",
            "protocol": "saml",
            "protocolMapper": "saml-role-list-mapper",
            "consentRequired": false,
            "config": {
                "single": "false",
                "attribute.nameformat": "Basic",
                "attribute.name": "Role"
            }
        },
        {
            "name": "X500 surname",
            "protocol": "saml",
            "protocolMapper": "saml-user-property-mapper",
            "consentRequired": false,
            "config": {
                "attribute.nameformat": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
                "user.attribute": "lastName",
                "friendly.name": "surname",
                "attribute.name": "urn:oid:2.5.4.4"
            }
        },
        {
            "name": "X500 givenName",
            "protocol": "saml",
            "protocolMapper": "saml-user-property-mapper",
            "consentRequired": false,
            "config": {
                "attribute.nameformat": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
                "user.attribute": "firstName",
                "friendly.name": "givenName",
                "attribute.name": "urn:oid:2.5.4.42"
            }
        }
    ],
    "defaultClientScopes": [
        "web-origins",
        "role_list",
        "profile",
        "roles",
        "email"
    ],
    "optionalClientScopes": [
        "address",
        "phone",
        "offline_access"
    ],
    "access": {
        "view": true,
        "configure": true,
        "manage": true
    }
}