sso

sso-config/README.md

@@ -0,0 +1,52 @@
+# SSO Configuration for KMS Testing
+
+This directory contains configuration files for testing SSO integration with the KMS application.
+
+## Directory Structure
+
+```
+sso-config/
+├── keycloak/
+│   └── kms-realm.json          # Keycloak realm configuration
+└── README.md                   # This file
+```
+
+## Test Users
+
+The following test users are configured in both identity providers:
+
+| Email | Password | Permissions | Description |
+|-------|----------|-------------|-------------|
+| admin@example.com | admin123 | internal.* | Full administrative access |
+| test@example.com | test123 | app.read, token.read | Standard user access |
+| limited@example.com | limited123 | repo.read | Limited access user |
+
+## Keycloak Configuration
+
+- **Admin Console**: http://localhost:8090
+- **Admin Credentials**: admin / admin
+- **Realm**: kms
+- **Client ID**: kms-api
+- **Client Secret**: kms-client-secret
+
+### Key Features:
+- Pre-configured realm with test users
+- OpenID Connect protocol support
+- Custom attribute mapping for permissions
+- Proper redirect URIs for local development
+
+## SimpleSAMLphp Configuration
+
+- **Admin Console**: http://localhost:8091/simplesaml
+- **Admin Credentials**: admin / secret
+- **Test Users**: user1 / user1pass, user2 / user2pass
+
+### Key Features:
+- SAML 2.0 Identity Provider
+- Pre-configured service provider settings
+- Test certificates (DO NOT use in production)
+- Metadata endpoint available
+
+## Usage
+
+See the main CLAUDE.md file for detailed usage instructions.

sso-config/keycloak/kms-realm.json

@@ -0,0 +1,158 @@
+{
+  "realm": "kms",
+  "displayName": "KMS Test Realm",
+  "enabled": true,
+  "registrationAllowed": false,
+  "loginWithEmailAllowed": true,
+  "duplicateEmailsAllowed": false,
+  "resetPasswordAllowed": true,
+  "editUsernameAllowed": false,
+  "bruteForceProtected": false,
+  "loginTheme": "keycloak",
+  "accountTheme": "keycloak",
+  "adminTheme": "keycloak",
+  "emailTheme": "keycloak",
+  "sslRequired": "external",
+  "accessTokenLifespan": 3600,
+  "accessTokenLifespanForImplicitFlow": 900,
+  "ssoSessionIdleTimeout": 1800,
+  "ssoSessionMaxLifespan": 36000,
+  "refreshTokenMaxReuse": 0,
+  "accessCodeLifespan": 60,
+  "accessCodeLifespanUserAction": 300,
+  "accessCodeLifespanLogin": 1800,
+  "actionTokenGeneratedByAdminLifespan": 43200,
+  "actionTokenGeneratedByUserLifespan": 300,
+  "users": [
+    {
+      "username": "admin@example.com",
+      "email": "admin@example.com",
+      "firstName": "Admin",
+      "lastName": "User",
+      "enabled": true,
+      "emailVerified": true,
+      "credentials": [
+        {
+          "type": "password",
+          "value": "admin123",
+          "temporary": false
+        }
+      ],
+      "attributes": {
+        "permissions": ["internal.*"]
+      },
+      "realmRoles": ["admin"]
+    },
+    {
+      "username": "test@example.com", 
+      "email": "test@example.com",
+      "firstName": "Test",
+      "lastName": "User",
+      "enabled": true,
+      "emailVerified": true,
+      "credentials": [
+        {
+          "type": "password",
+          "value": "test123",
+          "temporary": false
+        }
+      ],
+      "attributes": {
+        "permissions": ["app.read", "token.read"]
+      },
+      "realmRoles": ["user"]
+    },
+    {
+      "username": "limited@example.com",
+      "email": "limited@example.com", 
+      "firstName": "Limited",
+      "lastName": "User",
+      "enabled": true,
+      "emailVerified": true,
+      "credentials": [
+        {
+          "type": "password",
+          "value": "limited123",
+          "temporary": false
+        }
+      ],
+      "attributes": {
+        "permissions": ["repo.read"]
+      },
+      "realmRoles": ["user"]
+    }
+  ],
+  "roles": {
+    "realm": [
+      {
+        "name": "admin",
+        "description": "Administrator role"
+      },
+      {
+        "name": "user",
+        "description": "Standard user role"
+      }
+    ]
+  },
+  "clients": [
+    {
+      "clientId": "kms-api",
+      "name": "KMS API Client",
+      "description": "Client for KMS API authentication",
+      "enabled": true,
+      "clientAuthenticatorType": "client-secret",
+      "secret": "kms-client-secret",
+      "redirectUris": [
+        "http://localhost:8081/*",
+        "http://localhost:8080/*",
+        "http://localhost:3000/*"
+      ],
+      "webOrigins": [
+        "http://localhost:8081",
+        "http://localhost:8080", 
+        "http://localhost:3000"
+      ],
+      "protocol": "openid-connect",
+      "publicClient": false,
+      "bearerOnly": false,
+      "standardFlowEnabled": true,
+      "implicitFlowEnabled": false,
+      "directAccessGrantsEnabled": true,
+      "serviceAccountsEnabled": false,
+      "attributes": {
+        "access.token.lifespan": "3600"
+      },
+      "protocolMappers": [
+        {
+          "name": "email",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-property-mapper",
+          "consentRequired": false,
+          "config": {
+            "userinfo.token.claim": "true",
+            "user.attribute": "email",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "email",
+            "jsonType.label": "String"
+          }
+        },
+        {
+          "name": "permissions",
+          "protocol": "openid-connect", 
+          "protocolMapper": "oidc-usermodel-attribute-mapper",
+          "consentRequired": false,
+          "config": {
+            "userinfo.token.claim": "true",
+            "user.attribute": "permissions",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "permissions",
+            "jsonType.label": "JSON",
+            "multivalued": "true"
+          }
+        }
+      ]
+    }
+  ]
+}