IDEA: SAML + WS-Federation autherization support?


#1

Shiny Proxy is great especially with its security features like LDAP support. However there are some cases where we want to have an alternative to LDAP.

I think SAML + WS Federation support would be a great addition to Shiny Proxy.

Thanks,
Babacar Diouf


#2

I agree with this Babacar. Oauth will also be a need in the future.


#3

Hi @Babacar_Diouf, @hitfuture,

For reference ShinyProxy 0.9.0 has been released and contains a new authentication mechanism authentication: keycloak that opens a world of possibilities: when this option is activated all advanced identity and access management functionality of Keycloak becomes available: User Federation, Identity Brokering, Social Login etc.

See https://www.shinyproxy.io/downloads/ and https://www.shinyproxy.io/configuration/#single-sign-on-keycloak for the configuration.

Best,
Tobias


#4

@tverbeke, This is a great addition! I can’t thank you enough for your effort! I have one question now!

How can I properly apply group configuration settings (scientist, mathematicians, & etc for particular app access.) to the KeyCloak settings in the Shiny Proxy Configuration file?

I am looking at the documentation, I don’t see where I can connect the keycloak user to particular shiny applications:

ex. groups: scientists, mathematicians

shiny:
  proxy:

  [...]

    keycloak:
      realm: yoursso
      auth-server-url: http://yoururl.com:8180/auth
      resource: yourresource
      credentials-secret: your-credentials-secret

Thanks,
Babacar Diouf


#5

Hi @Babacar_Diouf,

The configuration of groups still happens using the groups field in the application configurations for particular apps. The keycloak integration takes care of the rest (i.e. only giving access to a user if it is part of the group as defined by the back-end behind keycloak).

Best regards,
Tobias


#6

Hi Tobias,
Thank you for making this happen. We’re in the process of implementing Keycloak and will share how were are federating with customers once this is up and running in production. I’ll come back on the site soon to give you feedback.
Brett


#7

Hi @tverbeke,
I am trying to setup groups to users via keycloak for application access in ShinyProxy

In the application.yml
I have defined the groups of my Shiny Apps and keycloak deployment via:
authentication: keycloak

 keycloak:
      auth-server-url: http://localhost:8180/auth
      realm: shinyproxy
      public-client: true
      resource: shinyproxy-app
      credentials-secret: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

apps:
-  name: Employee Catalog
   display-name: employee catalog
   docker-image: test/employeecatalog
   groups: managers

In my KeyCloak console:

  • Created realm: shinyproxy setup along with its users and groups.
  • Assigned groups within the realm in this case group: managers
  • Created user:bob and added him group: managers

Issue:
When I successfully login to ShinyProxy through KeyCloak the shiny application: Employee Catalog does not show up. I can confirm that this app is successfully deployed. I have have noticed when I remove the groups field or keep it blank, the application then shows up when I log in as bob

Am I setting up the groups incorrectly?

Feedback would be great,
Thanks.


#8

Hi @Babacar_Diouf,

Unfortunately, there is a bit of a naming mismatch in groups vs roles.
ShinyProxy uses the term ‘groups’, as in ‘ldap groups’ and such. But Keycloak authorities are collected in roles rather than groups. See https://keycloak.gitbooks.io/documentation/server_admin/topics/groups/groups-vs-roles.html

Can you try creating a role ‘managers’ in Keycloak, and assigning this role either to the group managers, or to the user bob directly?

Regards,
Frederick


#9

Thanks worked like a charm:

Creating a key-cloak role: managers and assigning it to th user: bob solved my solution!

Thanks a bunch!