Keycloak Setup Issues

[bront...@gmail.com]

Hi,

I am setting up Keycloak to authenticate users federated from Active Directory. Keycloak is connected to AD, and users have been imported.

Both Keycloak and cBioPortal are deployed via Docker-Compose and accessible behind an Apache front end (also Dockerized). The reverse proxy listens on https://myserver.edu:443 for cBioPortal and https://myserver.edu:444/auth for Keycloak.

The Keycloak client, cbioportal, settings are as indicated in the instructions and:

   Valid Redirect Urls: https://myserver.edu/*, https://myserver.edu:443/*

   Logout Service POST Binding URL: https://myserver.edu:443/saml/logout

I had set the Master SAML Processing URL to https://myserver.edu:444/auth/realms/cbioportal, but since that setting is only depicted in the image and not in the actual instructions, I removed it. (https://docs.cbioportal.org/2.2-authorization-and-authentication/authenticating-and-authorizing-users-via-keycloak)

Here is the SAML section from portal.properties. When I set entitybaseurl, the error indicates, “No IDP was configured, please update included metadata with at least one IDP.” When I leave it blank, the error indicates “java.net.MalformedURLException: no protocol: /saml/login.”

# No IDP configured when entitybaseurl is enabled... but it has to be there as a placeholder...

    # saml.sp.metadata.entitybaseurl=#{null}

    # saml.sp.metadata.entitybaseurl=

saml.sp.metadata.entitybaseurl=https://myserver.edu:444/auth/realms/cbioportal/

filter_groups_by_appname=false

saml.sp.metadata.entityid=cbioportal

saml.sp.metadata.wantassertionsigned=true

saml.idp.metadata.location=classpath:/client-tailored-saml-idp-metadata.xml

saml.idp.metadata.entityid=https://myserver.edu:444/auth/realms/cbioportal

saml.keystore.location=classpath:/samlKeystore.jks

saml.keystore.password=***

saml.keystore.private-key.key=secure-key

saml.keystore.private-key.password=***

saml.keystore.default-key=secure-key

saml.idp.comm.binding.settings=defaultBinding

saml.idp.comm.binding.type=

saml.idp.metadata.attribute.email=email

saml.idp.metadata.attribute.role=Role

saml.custom.userservice.class=org.cbioportal.security.spring.authentication.keycloak.SAMLUserDetailsServiceImpl

# global logout (as opposed to local logout):

saml.logout.local=false

saml.logout.url=/

Also, and I am not sure that this is relevant, when I access the saml.idp.metadata.entityid URL, https://myserver.edu:444/auth/realms/cbioportal, I see the following JSON object:

{"realm":"cbioportal","public_key”:”***”,”token-service":"https://myserver.edu:444/auth/realms/cbioportal/protocol/openid-connect","account-service":"https://myserver.edu:444/auth/realms/cbioportal/account","tokens-not-before":0}

Should the token-service refer to openid-connect? That URL displays page not found.

If, however, I change URL to https://cras-dev.kcr.uky.edu:444/auth/realms/cbioportal/protocol/saml, I see “Invalid Request,” which seems promising…

Any help would be most welcome.

Thank you,

bront

 

[Benjamin Gross]

Hi Bront,

Based on the error you provided - “No IDP was configured”, it sounds like the SAML Metadata has not been downloaded from keycloak and made available to your cbioportal instance.  Its the “Export configuration for cBioPortal” step described here:

https://docs.cbioportal.org/2.2-authorization-and-authentication/authenticating-and-authorizing-users-via-keycloak#export-configuration-for-cbioportal

Can you confirm that this step was performed?

Best,

Benjamin

--
You received this message because you are subscribed to the Google Groups "cBioPortal for Cancer Genomics Discussion Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cbioportal+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cbioportal/61ab452a-166e-4c6f-8dbd-5e5b933c00ban%40googlegroups.com.

[bront...@gmail.com]

Benjamin,

Thank you for responding. I have exported the metadata a number of times and deployed it via a docker-compose volume, and until this morning I was still getting the "No IDP Configured."

As I continued reading, trying to grasp the nature of this issue, I stumbled upon a post that described a similar situation. The cBio docs call for SAML Metadata IDPSSODescriptor, but my version of Keycloak, quay.io/keycloak/keycloak:latest, only provides SAML Metadata SSODescriptor in the Installation tab drop-down.

Working from there, I located this post (https://github.com/cBioPortal/cbioportal/issues/6820) that seems to address this problem directly... Keycloak No Longer Exposes IDPSSODescriptor config.

I rolled Keycloak back to version 5.0.0 to test. The IDPSSODescriptor is available in that version, and output looks very similar in structure to the output depicted in the image here: https://docs.cbioportal.org/2.2-authorization-and-authentication/authenticating-and-authorizing-users-via-keycloak#export-configuration-for-cbioportal

I deployed the file, brought Docker up, and saw no error. The browser immediately forwarded me to the cBioPortal realm in Keycloak... https://myserver.444/auth/realms/cbioportal/protocol/saml where I now see the error "Invalid Requester."

So, progress...

Questions:

1. Is there a preferred version of Keycloak? Is using such an old version a security risk?
2. And if you could shed any light on the "Invalid Requester," that would be a huge help as well.

Again, thank you for reaching out. This has been a thorny puzzle to solve.

bront

Bront Davis
Senior Web Application Developer
Markey Cancer Control Program / KY Cancer Registry
University of Kentucky

[Benjamin Gross]

I’m sorry you had to rollback Keycloak.  Yes, as much as I like Keycloak, there are a few idiosyncrasies in its UI.  You can in fact download the IDP metadata in a more recent version of Keycloak.  You’ll find a poorly indicated link on the Realm Settings page (see image below).   With that, I would say there is no preferred version (we run version 11 in-house).

Invalid requestor leads me to believe that Keycloak is not aware of your cBioPortal client.  I would verify that you have properly generated and uploaded your keystore to Keycloak.

Let me know how it goes.

Best,

Benjamin

To view this discussion on the web visit https://groups.google.com/d/msgid/cbioportal/cb77f0a9-4b86-4606-956f-d798e3d7057bn%40googlegroups.com.

[bront...@gmail.com]

Benjamin,

You were right in both cases. I had neglected to import the keystore on my last "fresh" start, and I never would have guessed that those endpoints were clickable links. :-)

I hate to trouble you further, but I think I have one more hurdle to cross before this is complete.

The redirect from cBio to Keycloak works. The login is also working (tried a bad password just to make sure). 

I have:

• imported my users from Active Directory
• created roles under the cbioportal Client (ALL, all, public)
• and assigned them to myself

When I login, however, I am directed from Keycloak back to cBioPortal with this error: https://cras-dev.kcr.uky.edu/login.jsp?login_error=true

It indicates that I am not authorized to access resources, but I am not seeing any errors in the log.

Thank you,

bront

[Benjamin Gross]

Glad you are making progress.

Sounds to me like your email address (effective id) is not getting to the cBioPortal backend.  You should check that your email address mapper is property setup:

https://docs.cbioportal.org/2.2-authorization-and-authentication/authenticating-and-authorizing-users-via-keycloak#map-saml-assertion-attributes

I would also check your user record in keycloak and make sure that it is correct (that Email address is properly set).

Best,

Benjamin

To view this discussion on the web visit https://groups.google.com/d/msgid/cbioportal/b3b27222-2503-460d-a418-033b8a4cc044n%40googlegroups.com.

[bront...@gmail.com]

Thank you. Your help is the progress.

I think I have the emails set properly. Under Client:cbioportal Mappers, I have set the X500 email SAML Attribute Name to email.

Also, my AD record appears to be correct. There is a field for email and the email is correct.

Attached screenshots...

bront

[Benjamin Gross]

Your screenshots look correct.   The next thing I would do is turn logging on in the security library and see what is getting to the backend.  You can find information about doing this here:

https://docs.cbioportal.org/2.2-authorization-and-authentication/authenticating-and-authorizing-users-via-keycloak#troubleshooting

If nothing is obvious in the file, send me a copy and I can take a look.

Best,

Benjamin

To view this discussion on the web visit https://groups.google.com/d/msgid/cbioportal/5eb52de0-4f8b-4491-91eb-b8f56b38ea8bn%40googlegroups.com.

[bront...@gmail.com]

Benjamin,

I don't think that I set up debugging correctly, because I don't seem to be getting any additional messages in the log (or at least messages related to login issues).

I tried modifying log4j.properties in the source code, adding DEBUG, and then building a Docker image of cBioPortal. This appeared to be successful, and I am able to deploy the image, but noticed no changes in the logged messages when I ran docker-compose.

I also tried to add a volume to the docker-compose.yml file, which maps to here: /cbioportal-webapp/WEB-INF/classes/log4j.properties. I exec'd into the container to verify that the file exists, but when I login via Keycloak and get redirected back to cBioPortal I still don't see any further logging errors.

I think I am setting up the debugging incorrectly? Do you have further suggestions?

Thank you,

bront

Bront Davis
Senior Web Application Developer
Markey Cancer Control Program / KY Cancer Registry
University of Kentucky

[Andrew Blake]

I have this line in the log4j file:

log4j.logger.org.springframework.security=DEBUG

which should then give you output when you try and login etc

[bront...@gmail.com]

Andrew and Benjamin,

Thanks to both of you for all of your help. I was able to get logging working today.

I am still able to login via Keycloak, but when I am redirected back to cBioPortal I remain unauthenticated.

cBio logged errors:

• Authentication request failed: org.springframework.security.authentication.AuthenticationServiceException: Incoming SAML message is invalid
  
•  URL https://dev.kcr.uky.edu/saml/SSO wasn't found in local metadata (does this refer to the portal.properties file or the client-tailored-saml-idp-metadata.xml?)

Keycloak settings:

• Valid Redirect URIs -  https://dev.kcr.uky.edu/*
  
• Master SAML processing URL - https://dev.kcr.uky.edu:444/auth/saml
  
• Logout Service Post Binding URL - https://dev.kcr.uky.edu/saml/logout

cBioPortal Properties

•  saml.sp.metadata.entitybaseurl=https://dev.kcr.uky.edu/

• filter_groups_by_appname=false
  
• saml.sp.metadata.entityid=cbioportal
  
• saml.sp.metadata.wantassertionsigned=true
  
• saml.idp.metadata.location=classpath:/client-tailored-saml-idp-metadata.xml
  

• saml.idp.metadata.entityid=https://dev.kcr.uky.edu:444/auth/realms/cbioportal/
  

• saml.keystore.location=classpath:/samlKeystore.jks
  
• saml.keystore.password=***
  
• saml.keystore.private-key.key=secure-key
  
• saml.keystore.private-key.password=***
  
• saml.keystore.default-key=secure-key
  
• saml.idp.comm.binding.settings=defaultBinding
  
• saml.idp.comm.binding.type=
  
• saml.idp.metadata.attribute.email=email
  
• saml.idp.metadata.attribute.role=Role
  
• saml.custom.userservice.class=org.cbioportal.security.spring.authentication.keycloak.SAMLUserDetailsServiceImpl
  
• # global logout (as opposed to local logout):
  
• saml.logout.local=false
  
• saml.logout.url=/

Proxy:

I am running cBioPortal behind a reverse proxy configured in Apache along with two virtual hosts, 443 for cBio and 444 for Keycloak.

--proxy-base-url https://dev.kcr.uky.edu:443 

Thanks again for your assistance.

bront

[Benjamin Gross]

Bront,

I think you are missing port 443 in your keycloak settings:

Valid redirect URIs:

https://dev.kcr.uky.edu:443/*

Master SAML Processing: 

https://dev.kcr.uky.edu:443/saml

Logout Service Post Binding URL:

https://dev.kcr.uky.edu:443/saml/logout

I also think your entity base url should have it -

saml.sp.metadata.entitybaseurl:

https://dev.kcr.uky.edu:443

Give those a try and let me know how it goes.

Best,

Benjamin

To view this discussion on the web visit https://groups.google.com/d/msgid/cbioportal/c36e176c-9969-4da9-8cbc-8451cd37b218n%40googlegroups.com.

[bront...@gmail.com]

Benjamin,

I can't thank you enough for your patience and guidance. This did the trick. Authentication is working.

I'd gone through that set up a number of times, but I think I was misinterpreting the graphic below (from https://docs.cbioportal.org/2.2-authorization-and-authentication/authenticating-and-authorizing-users-via-keycloak#configure-keycloak-to-authenticate-your-cbioportal-instance). 

CBioPortal is running on port 8081 and Keycloak on 8080.

It seems that the Master SAML Processing URL is pointing to Keycloak, whereas your instructions advised, correctly, to point to cBioPortal?

I am new to a lot of this verbiage, so I may be misunderstanding something fundamental.

Again, thank you for your invaluable help... now to replicate this on the production server. :-)

bront

[Benjamin Gross]

Happy to help Bront.  What you pointed out looks like a typo, sorry for the confusion it has caused.  I’ll make an update to that (and as you’ve noticed, not clear when you are running via a secure channel).

Glad its working now.  Let me know if you have any issues on the production server.

Best,

Benjamin

To view this discussion on the web visit https://groups.google.com/d/msgid/cbioportal/de5e28cc-fd71-4732-81a5-18caa460171fn%40googlegroups.com.