[Koha-bugs] [Bug 21577] Enable Koha to act as Shibboleth identity provider

[bugzilla-daemon at bugs.koha-community.org]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21577

--- Comment #9 from David Cook <dcook at prosentient.com.au> ---
(In reply to David Cook from comment #8)
> I also wrote a Keycloak extension that uses the REST API endpoint from bug
> 30962 which allows you to use Keycloak as the Identity Provider with the
> Koha user database as the underlying user datastore. 
> 
> I haven't made this extension public yet, as I'm not that keen on supporting
> it solo. But I suppose I should just do it one of these days...

I've uploaded the Keycloak extension at
https://gitlab.com/minusdavid/keycloak-user-storage-koha

Hopefully there is enough information there for people to build, deploy, and
use it. If not, raise an issue there or email me or something.

But that extension allows you to use Keycloak as a SAML/Shibboleth Identity
Provider using Koha's user database for authentication.

So you can setup Koha to authenticate against Keycloak, and you'll be logging
into Keycloak's interface using your Koha username and password. You can then
have other systems authenticating against Keycloak using a Koha username and
password.

This is a way of achieving the goal of bug 21577 without re-inventing the
wheel. Keycloak is a great open source identity management system backed by Red
Hat, and it's great that we can use it to build up Koha functionality. 

--

That being said... I should add a warning that this Keycloak extension relies
on a deprecated SPI. At some stage, it will go away, although it will be
replaced with a new system. At that point, I'll do a new Keycloak extension
that uses that. But good to know what's coming down the pipes...

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.