Ansible Collection - redhat.sso

Collection to install and configure Keycloak or Red Hat Single Sign-On / Red Hat Build of Keycloak.

Ansible version compatibility

This collection has been tested against following Ansible versions: >=2.16.0.

Plugins and modules within a collection may be tested with only specific Ansible versions. A collection may contain metadata that identifies these versions.

Installation

Installing the Collection from Automation Hub

Before using the collection, you need to setup Ansible Automation Hub as galaxy server; then install it via the CLI:

ansible-galaxy collection install redhat.sso

You can also include it in a requirements.yml file and install it via ansible-galaxy collection install -r requirements.yml, using the format:

---
collections:
  - name: redhat.sso

The sso collection also depends on the following python packages to be present on the controller host:

• netaddr
• lxml

A requirement file is provided to install:

pip install -r requirements.txt

Included modules

All Keycloak administration modules from community.general are provided in this collection for Keycloak 17+ (Quarkus). Use auth_sso_url without the legacy /auth context path (for example http://localhost:8080). Set sso_context to /auth only when automating WildFly-based Keycloak with the sso role.

• sso_authentication: manage authentication flows and executions using Keycloak Admin REST API.
• sso_authentication_flow: manage custom authentication flows and flow executions.
• sso_authentication_required_actions: manage required actions available in realm authentication.
• sso_authentication_v2: manage authentication flows with newer Keycloak API handling.
• sso_authz_authorization_scope: manage authorization scopes for a client resource server.
• sso_authz_custom_policy: manage custom authorization policies for a client resource server.
• sso_authz_permission: manage authorization permissions for a client resource server.
• sso_authz_permission_info: retrieve authorization permission information for a client resource server.
• sso_client: manage Keycloak clients (create/update/delete).
• sso_client_rolemapping: manage client role mappings for users and groups.
• sso_client_rolescope: manage client role scope mappings.
• sso_client_scope: manage client scopes and protocol mappers (replaces community.general.sso_clientscope).
• sso_client_scope_type: manage default and optional client scope assignments.
• sso_clientsecret_info: retrieve client secret information.
• sso_clientsecret_regenerate: regenerate a client secret.
• sso_clienttemplate: manage legacy client templates.
• sso_component: manage realm components.
• sso_component_info: retrieve realm component information.
• sso_group: manage realm groups and subgroups.
• sso_identity_provider: manage identity provider instances and configuration.
• sso_realm: manage realms (create/update/delete).
• sso_realm_info: retrieve realm information.
• sso_realm_key: manage realm key providers.
• sso_realm_keys_metadata_info: retrieve realm keys metadata.
• sso_realm_localization: manage realm localization texts.
• sso_realm_rolemapping: manage realm role mappings for users and groups.
• sso_role: manage realm and client roles.
• sso_user: manage users (create/update/delete).
• sso_user_execute_actions_email: trigger execute-actions emails for users.
• sso_user_federation: manage user federation providers (for example LDAP/AD).
• sso_user_rolemapping: manage user role mappings.
• sso_userprofile: manage user profile configuration.

Usage

The collection provides roles to install Keycloak and modules to manage realms, clients, users, and related settings via the Keycloak Admin REST API.

For Quarkus-based Keycloak (17+), set auth_sso_url to the server root URL without the legacy /auth path, for example http://localhost:8080. When using the legacy sso role with WildFly-based Keycloak, set sso_context to /auth in the sso_realm role.

Install Keycloak

• playbooks/sso_quarkus.yml installs Keycloak >= 17 using the sso_quarkus role.
• playbooks/sso.yml installs legacy Keycloak (<= 19) using the sso role.

For full service configuration details, refer to the sso_quarkus role README or the sso role README.

Install from controller node (offline)

Making the sso zip archive available to the playbook working directory, and setting sso_offline_install to true, allows to skip the download tasks. The local path for the archive does match the downloaded archive path, so that it is also used as a cache when multiple hosts are provisioned in a cluster.

sso_offline_install: true

Downloading from the Customer Portal

The redhat.sso.sso role supports downloading and installing from the Red Hat Customer Portal using credentials associated to a service account. After login in the customer portal and navigating to the hybrid cloud console, select the services account tab to create one, if needed. Client ID and Client secret associated to the service account needs to be provided with the following variables are defined:

rhn_username: '<client_id>'
rhn_password: '<client_secret>'

The downloaded product archive will be stored in the controller working directory, and then distributed to target nodes.

When patching is requested, via the sso_apply_patches variable, the most recently published cumulative patch will be installed; to use a specific patch version instead, set it with the sso_patch_version variable.

NOTE: downgrading patches is not supported.

Install from alternate sources (like corporate Nexus, artifactory, proxy, etc)

It is possible to perform downloads from alternate sources, using the sso_download_url variable; make sure the final downloaded filename matches with the source filename (ie. sso-legacy-x.y.zip or rh-sso-x.y.z-server-dist.zip).

Example installation command

Execute the following command from the source root directory:

ansible-playbook -i <ansible_hosts> playbooks/sso_quarkus.yml -e sso_quarkus_bootstrap_admin_password=<changeme>

• sso_quarkus_bootstrap_admin_password password for the administration console user account.
• ansible_hosts is the inventory, below is an example inventory for deploying to localhost

[sso] localhost ansible_connection=local

Note: when deploying clustered configurations, all hosts belonging to the cluster must be present in ansible_play_batch; ie. they must be targeted by the same ansible-playbook execution.

Configure with roles

• playbooks/sso_realm.yml creates or updates provided realm, user federation(s), client(s), client role(s) and client user(s).

• playbooks/sso_realm_client.yml creates a realm with clients, roles and users using the sso_realm role.
• playbooks/sso_federation.yml configures user federation providers.

Example configuration command

Execute the following command from the source root directory:

ansible-playbook -i <ansible_hosts> playbooks/sso_realm.yml -e sso_realm_admin_password=<changeme> -e sso_realm_realm=test

• sso_realm_admin_password password for the administration console user account.
• sso_realm_realm name of the realm to be created/used.
• ansible_hosts is the inventory, below is an example inventory for deploying to localhost

[sso] localhost ansible_connection=local

For full configuration details, refer to the sso_realm role README.

Configure with modules

Module playbooks target an already running Keycloak instance. All modules use the redhat.sso collection namespace.

• playbooks/sso_client_scope.yml creates a client scope with protocol mappers using the sso_client_scope module.
• playbooks/sso_authentication_flow.yml creates a custom authentication flow with execution steps using the sso_authentication_flow module.

Example task using shared authentication defaults:

- hosts: localhost
  module_defaults:
    group/redhat.sso.sso:
      auth_sso_url: http://localhost:8080
      auth_realm: master
      auth_username: admin
      auth_password: "{{ sso_admin_password }}"
  tasks:
    - name: Create a user in a realm
      redhat.sso.sso_user:
        realm: TestRealm
        username: testuser
        first_name: Test
        last_name: User
        email: testuser@example.com
        enabled: true
        state: present

When migrating from community.general, replace the collection prefix in playbooks (for example community.general.sso_user becomes redhat.sso.sso_user) and use sso_client_scope instead of sso_clientscope.

Support

redhat.sso collection v2.0.2 is for Technical Preview. If you have any issues or questions related to collection, please don't hesitate to contact us on Ansible-middleware-core@redhat.com or open an issue on https://github.com/ansible-middleware/keycloak/issues

Release and Upgrade Notes

For details on changes between versions, please see the CHANGELOG for this collection.

License

Apache License v2.0 or later

See LICENSE to view the full text.