Loomio
Fri 31 May 2019 10:37PM

Is SSO compatible with selfhosted Loomio ?

J Jordan Public Seen by 72

Hi,

I would like to run dockerized Loomio with others services like nextcloud / rocketchat with different domain behind a nginx-proxy, with SSO (manage by keycloak).

Is it possible to configure a SSO configuration for loomio ? I don't find any information about it :(
Thanks !

J

Jordan Mon 3 Jun 2019 11:57AM

Hello,
To be more precise, would it be possible to make Loomio compatible with any SSO with SAML or OpenID Connect ?
I am surprised that not all communities created around Loomio use SSO, which is a very useful tool to manage user data in a centralized and secure way. Maybe I'm missing something...
Thanks!

RG

Robert Guthrie Mon 3 Jun 2019 8:46PM

Hi, yes we've connected to a few kinds of SAML server now.

You need to set two keys: The first is just an "enable" flag, the second is the IDP metadata url.

SAML_APP_KEY=1
SAML_IDP_METADATA_URL=https://app.onelogin.com/saml/metadata/12345656789

RG

Robert Guthrie Mon 3 Jun 2019 8:47PM

We're looking at supporting any open id connect in the future.

J

Jordan Mon 3 Jun 2019 9:14PM

Ohhhh amazing ! Thank you ! Maybe would be good to add this in the documentation of "loomio-deploy" :)

J

Jordan Tue 24 Sep 2019 9:37PM

Hi ,

Sorry to re-open this discussion, but I'm still trying to configure SAML with keycloak and I am facing an issue. When clicking on "Continue with SAML" on Loomio, it redirect me on my keycloak instance but with an error "Unknown login requester"

I think this is a Keycloak specific error, but i'm working on it since a long time...

In Loomio, the two keys "SAMLAPP_KEY" and "SAML_IDP_METADATA_URL" are the only configuration needed ?

Thanks for you answer.

RG

Robert Guthrie Tue 24 Sep 2019 9:47PM

Dont' be sorry. Yes, those are the only keys needed. Are you connected to talk.theborderland? They successfully connected loomio and keycloak.

J

Jordan Tue 24 Sep 2019 9:50PM

I don't know what is talk.theborderland but I will try to contact them ! Thx u ! <3

RG

Robert Guthrie Tue 24 Sep 2019 10:02PM

@Hugi Ásgeirsson Can you connect us with the person who successfully setup keycloak and Loomio?

J

Jordan Tue 24 Sep 2019 10:04PM

Oh god you are my hero. Thank you very much Rob !

PS: talk.theborderland is AMAZING ! Exactly what I'm working on. Their login page is so beautiful :D

H

Hugi Ásgeirsson Wed 25 Sep 2019 6:41AM

Yes, I’ll ping them.

K

Kris Wed 25 Sep 2019 9:16AM

Pong.

This is in our env:

SAML_IDP_METADATA_URL=https://account.theborderland.se/auth/realms/master/protocol/saml/descriptor
SAML_ISSUER=talk
SAML_APP_KEY=1

Create a client in keycloak with, in this instance, client id set to "talk", and set client protocol to "saml". Maybe turn off client signature required. Watch the logs and flip switches in keycloak until it works. I didn't write down what I did of course, but this should bring you close.

J

Jordan Wed 25 Sep 2019 10:02AM

It works ! Thank you very much for your help !
I have two last questions if I can abuse your kindness:

  • Loomio makes copies of users in his database, no way to disable this ? I guess Loomio need it, but it's a duplication of information.

  • As in talk.theborderland, how to disable sign in on Loomio and force use SAML for user registration ?

Thank you again, love Loomio and Love u :D

RG

Robert Guthrie Wed 25 Sep 2019 10:24PM

Hahah love the love in the room!

Yes, it's essential to create user records in the loomio database.

Hrrmm it looks the the default_env in loomio-deploy needs some updating.

FEATURES_DISABLE_EMAIL_LOGIN
FEATURES_DISABLE_CREATE_USER
FEATURES_DISABLE_CREATE_GROUP
FEATURES_DISABLE_PUBLIC_GROUPS
FEATURES_DISABLE_AHOY_TRACKING
FEATURES_DISABLE_HELP_LINK
FEATURES_DISABLE_EXAMPLE_CONTENT

You're after the top one: Disable email login will do what you're asking for.

So that would be

FEATURES_DISABLE_EMAIL_LOGIN=1

Feel like making a PR modifying the default_env file with the SAML envs you use and the above and adding the best description you can for them. Just mentioning the keys would be a big improvement.

J

Jordan Thu 19 Mar 2020 11:04AM

Hi @Kris,

Can you share your Keycloak configuration for Loomio client ? :D (in keycloak, "Client", then "Export")

Thank you very much!

H

Hugi Ásgeirsson Sat 21 Mar 2020 11:01PM

Here you go @Jordan

{
    "clientId": "talk",
    "name": "Borderland Talk",
    "rootUrl": "https://talk.theborderland.se",
    "baseUrl": "/explore",
    "surrogateAuthRequired": false,
    "enabled": true,
    "alwaysDisplayInConsole": false,
    "clientAuthenticatorType": "client-secret",
    "redirectUris": [
        "/*"
    ],
    "webOrigins": [],
    "notBefore": 0,
    "bearerOnly": false,
    "consentRequired": false,
    "standardFlowEnabled": true,
    "implicitFlowEnabled": false,
    "directAccessGrantsEnabled": false,
    "serviceAccountsEnabled": false,
    "publicClient": false,
    "frontchannelLogout": true,
    "protocol": "saml",
    "attributes": {
        "saml.assertion.signature": "true",
        "saml.force.post.binding": "true",
        "saml.multivalued.roles": "false",
        "saml.encrypt": "false",
        "saml.server.signature": "true",
        "saml.server.signature.keyinfo.ext": "true",
        "exclude.session.state.from.auth.response": "false",
        "saml.signing.certificate": "OURCERT",
        "saml.signature.algorithm": "RSA_SHA256",
        "saml_force_name_id_format": "false",
        "tls.client.certificate.bound.access.tokens": "false",
        "saml.client.signature": "false",
        "saml.authnstatement": "true",
        "display.on.consent.screen": "false",
        "saml_name_id_format": "username",
        "saml.signing.private.key": "OURKEY",
        "saml.onetimeuse.condition": "false",
        "saml.server.signature.keyinfo.xmlSigKeyInfoKeyNameTransformer": "KEY_ID",
        "saml_signature_canonicalization_method": "http://www.w3.org/2001/10/xml-exc-c14n#"
    },
    "authenticationFlowBindingOverrides": {},
    "fullScopeAllowed": true,
    "nodeReRegistrationTimeout": -1,
    "protocolMappers": [
        {
            "name": "X500 email",
            "protocol": "saml",
            "protocolMapper": "saml-user-property-mapper",
            "consentRequired": false,
            "config": {
                "attribute.nameformat": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
                "user.attribute": "email",
                "friendly.name": "email",
                "attribute.name": "urn:oid:1.2.840.113549.1.9.1"
            }
        },
        {
            "name": "role list",
            "protocol": "saml",
            "protocolMapper": "saml-role-list-mapper",
            "consentRequired": false,
            "config": {
                "single": "false",
                "attribute.nameformat": "Basic",
                "attribute.name": "Role"
            }
        },
        {
            "name": "X500 surname",
            "protocol": "saml",
            "protocolMapper": "saml-user-property-mapper",
            "consentRequired": false,
            "config": {
                "attribute.nameformat": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
                "user.attribute": "lastName",
                "friendly.name": "surname",
                "attribute.name": "urn:oid:2.5.4.4"
            }
        },
        {
            "name": "X500 givenName",
            "protocol": "saml",
            "protocolMapper": "saml-user-property-mapper",
            "consentRequired": false,
            "config": {
                "attribute.nameformat": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
                "user.attribute": "firstName",
                "friendly.name": "givenName",
                "attribute.name": "urn:oid:2.5.4.42"
            }
        }
    ],
    "defaultClientScopes": [
        "web-origins",
        "role_list",
        "profile",
        "roles",
        "email"
    ],
    "optionalClientScopes": [
        "address",
        "phone",
        "offline_access"
    ],
    "access": {
        "view": true,
        "configure": true,
        "manage": true
    }
}