Keycloak authentication in Semaphore
Starting from version 2.8.90, Semaphore supports authentication via OIDC providers like Keycloak. In this article, we will explore how to setup Ansible Semaphore to authenticate users via Keycloak.
Configuring authentication via OIDC starts with setting up Keycloak itself.
- Setup a new OpenID Connect client
- login to Keycloak as an admin
- select your realm, if you need to
- Click
Clients
- Click
Create client
Client type
should beOpenID Connect
- The ID will be used in semaphore config, so make a note of what you set it to
- The name can be something more clear as to what this Client is
- click
Next
- Turn on
Client authentication
- Click
Next
- set the
Root URL
to the root of your semaphore install, e.g.https://semaphore.example.com
- set
Home URL
to/
- set
Valid redirect URIs
to use theRoot URL
and/api/auth/oidc/horwood/redirect
- set
Web origins
to the same as theRoot URL
- Click
Save
- Next is to add
Client scopes
- Click on
Client scopes
in your new Client - Click the top scope, e.g.
test-dedicated
- Click
Add predrfined mapper
- tick
email
and clickadd
- click
Add mapper
andFrom predefined mappers
- on the second page of mappers, tick
username
andprofile
- Click on
- Add config to semaphore
- open your semaphore
config.json
for editing, e.g.vi config.json
- add the below config to the end of your file, make sure to add a
,
to the last item first
- open your semaphore
"oidc_providers":{
"horwood":{
"display_name":"Sign in with keycloak",
"provider_url":"https://keycloak.example.com/realms/PVE01",
"client_id":"<CLIID>",
"client_secret":"<SECRET>",
"redirect_url": "https://semaphore.example.com/api/auth/oidc/horwood/redirect"
}
}
On the login page you should now see a Sign in with keycloak
button,
clicking it will follow your normal login with Keycloak flow.
Published:
by Matt Horwood