External Identity Providers¶
This section describes how to configure an external identity provider (IdP) in Neteye.
Identity Providers are services that create, maintain, and manage identity information for users while providing authentication services to relying applications within a federation or distributed network. If you have an existing IdP, you can configure it in NetEye to authenticate users with it (via SAML), defined in RFC 7522 or OIDC defined in the OpenID Connect Core 1.0 specification. Some popular options for that are: Ping Identity, Fortinet or MS ADFS. This page also shows examples of how to configure some of the most common IdPs.
When an IdP is enabled, Keycloak redirects the user to the IdP login page based on the email address’ domain.
Note
If LDAP is enabled and provides the user’s email address, the user can insert only the username at the login.
Add an IdP in NetEye¶
To add an IdP in NetEye, access the Authentication Admin Console and click on the menu item. Many already configured IdPs can be easily set up by clicking a button under the Social section, or a custom IdP can be configured by selecting a protocol under the User defined tab.
Note
Keycloak supports SAML v2.0, OIDC v1.0, and OAuth 2.0.
After clicking a button, a wizard will guide you through the configuration of the IdP. You will also need access to the IdP admin console to obtain the necessary information to configure the IdP in NetEye, and accept NetEye as a client.
Specific IdP how-to guides¶
How to configure MSADFS
How to configure FortiAuthenticator
OpenID Connect (OIDC)¶
Keycloak supports the auto-discovery of OIDC configuration from the IdP. The URL:
https://{YOUR-IDP-HOST}/.well-known/openid-configuration
can be used to configure the IdPs
discovery endpoint inside the Keycloak configuration form. If you want to configure the IdP
manually, you can follow the official
OIDC Configuration documentation.
We generally recommend using OIDC over SAML when possible, as it is easier to integrate with Keycloak and has a
Security Assertion Markup Language (SAML)¶
Keycloak supports the SAML identity descriptor file (metadata) from the IdP. If you want to configure the IdP manually, you can follow the official SAML Configuration documentation.
Common IdP configuration¶
Alias |
The alias is a unique identifier for an identity provider and references an internal identity provider. Keycloak uses the alias to build redirect URIs for OpenID Connect protocols that require a redirect URI or callback URL to communicate with an identity provider. All identity providers must have an alias. Examples of aliases include Facebook, Google, and idp.acme.com. |
Hide on Login Page |
MUST be set to true because we have the IdP auto-selection based on email address |
Account Linking Only |
SHOULD be set to true |
Store tokens |
MUST be set to false |
Store Token Readable |
MUST be set to false |
Trust Email |
MUST be set to true |
Sync Mode |
SHOULD be set to force because you have to trust the IdP. |
Case-sensitive username |
SHOULD be set to true |
See the official guide of Keycloak if you need particular configurations.
Configuring idp domains¶
For the Home IdP Discovery to correctly map the email domain to the proper login endpoint, the IdP domains need to be configured. This step ensures that Keycloak properly redirects to the IdP for authentication, requiring only the username as the initial step of the login process. Additionally, if multiple IdPs are configured in Keycloak, setting this parameter allows Keycloak to determine the correct IdP to redirect to based on the email domain associated with the entered username.
Since that configuration option is currently only available over a REST-API, we provide a neteye subcommand to make these configuration as easy as possible. With the neteye config auth idp command, you can view and edit the domain configuration with the subcommands list and set respectively.
To activate the flow, you then also need to follow the configuration steps below.
Enabling the Home IdP Discovery Flow¶
After setting up the IdP, you must change the default Authentication Flow
on Keycloak.
To do this, you need to access the Authentication section in the Authentication Admin Console and:
- Click on the neteye-idp-discovery-flow flow
Click on the Dots menu button and select Bind flow
Select Browser and click on Save
- Click on the neteye-first-broker-login-flow flow
Click on the Dots menu button and select Bind flow
Select First Login Flow and click on Save
Configuring Identity Provider Redirector step¶
If you have only one Identity Provider (IdP), you can configure an automatic redirect to it, bypassing the login screen for users. This will allow users to be redirected directly to your custom IdP.
To enable this:
Go to the Authentication` section in the Authentication Admin Console.
Select neteye-idp-discovery-flow.
Enable the “Identity Provider Redirector” step by setting its requirement to Alternative.
Click the gear icon next to the step, choose an alias, and enter the alias of your IdP in the Default identity provider field.
Once this is configured, users will no longer see the login screen and will be automatically redirected to the specified IdP.
If you need to log in with a local user, visit: https://{YOUR-HOST}/local_auth
Note
This step is optional and not required for all configurations.