Posted inArchitecture Hướng dẫn Khác Cloud Security Web

Setting Up n8n SSO with Self-Hosted Keycloak:

No CommentsPosted inArchitecture, Hướng dẫn, Khác, Cloud, Security, Web
Setting Up n8n SSO with Self-Hosted Keycloak:

Step 1: Deploy Keycloak with Docker and PostgreSQL

1.1 Set Up PostgreSQL

Create a PostgreSQL instance for Keycloak’s data persistence.

mkdir -p ~/keycloak/postgres

Create a docker-compose.yml file for Keycloak and PostgreSQL:

version: '3.8'
services:
  postgres:
    image: postgres:16
    environment:
      POSTGRES_DB: keycloak
      POSTGRES_USER: keycloak
      POSTGRES_PASSWORD: secure_password
    volumes:
      - ./postgres:/var/lib/postgresql/data
    restart: unless-stopped
  keycloak:
    image: quay.io/keycloak/keycloak:26.0
    command: start
    environment:
      KC_DB: postgres
      KC_DB_URL: jdbc:postgresql://postgres:5432/keycloak
      KC_DB_USERNAME: keycloak
      KC_DB_PASSWORD: secure_password
      KC_HOSTNAME: auth.example.com
      KC_PROXY: edge
      KEYCLOAK_ADMIN: admin
      KEYCLOAK_ADMIN_PASSWORD: admin_secure_password
    ports:
      - "8080:8080"
    depends_on:
      - postgres
    restart: unless-stopped

Save this as keycloak/docker-compose.yml. Replace secure_password and admin_secure_password with strong, unique values, and update auth.example.com to your Keycloak subdomain.

1.2 Configure Nginx for SSL

Set up Nginx as a reverse proxy to secure Keycloak with HTTPS.

Install Nginx:

sudo apt update
sudo apt install nginx

Create an Nginx configuration file:

sudo nano /etc/nginx/sites-available/keycloak

Add the following, replacing auth.example.com with your subdomain:

server {
    listen 80;
    server_name auth.example.com;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name auth.example.com;

    ssl_certificate /etc/letsencrypt/live/auth.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/auth.example.com/privkey.pem;

    location / {
        proxy_pass http://localhost:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Enable the configuration:

sudo ln -s /etc/nginx/sites-available/keycloak /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginx

Obtain an SSL certificate using Certbot:

sudo apt install certbot python3-certbot-nginx
sudo certbot --nginx -d auth.example.com

1.3 Start Keycloak

Launch the Keycloak stack:

cd ~/keycloak
docker-compose up -d

Access the Keycloak admin console at https://auth.example.com/admin, logging in with admin and admin_secure_password. Change the admin password immediately for security.

Step 2: Configure Keycloak as a SAML Identity Provider

Keycloak will act as the Identity Provider (IdP) for n8n. We’ll configure a SAML client, and set up mappers for user attributes.

Get required information from N8N

image - quochung.cyou PTIT
Setting Up n8n SSO with Self-Hosted Keycloak: 24
  1. Navigate to Settings -> SSO
  2. Save the Entity ID and Redirect URL

Create a SAML Client for n8n

  1. Navigate to Clients > Create Client.
  2. Set:
    • Client Type: SAML
    • Client ID: (n8n’s Entity ID from previous step, matching its base URL)
    • Name: n8n (Your choice)
  3. Configure:
    • Valid Redirect URIs: https://n8n.example.com/saml/acs (Redirect URI from previous step)
  4. Settings: (Image below)
    • Name ID format: Email
    • Force name ID format: ON
    • Force POST binding: ON
    • Include AuthnStatement: ON
    • Sign Document: ON
    • Sign Asseration: ON
    • Client Signature Required: Off
  5. Save the client.
image 1 - quochung.cyou PTIT
Setting Up n8n SSO with Self-Hosted Keycloak: 25
image 2 - quochung.cyou PTIT
Setting Up n8n SSO with Self-Hosted Keycloak: 26
image 3 - quochung.cyou PTIT
Setting Up n8n SSO with Self-Hosted Keycloak: 27

Configure Mappers

Mappers define how user attributes are sent to n8n.

  1. In the n8n client, go to Clients Scope > (The entity id, ex: https://yourdomain.com/rest/sso/saml/metadata-dedicated)
  2. Add mapper -> By configuration -> User property

2. Create the mapper like image, each one config look like this

image 5 - quochung.cyou PTIT
Setting Up n8n SSO with Self-Hosted Keycloak: 28
image 6 - quochung.cyou PTIT
Setting Up n8n SSO with Self-Hosted Keycloak: 29
image 7 - quochung.cyou PTIT
Setting Up n8n SSO with Self-Hosted Keycloak: 30
image 8 - quochung.cyou PTIT
Setting Up n8n SSO with Self-Hosted Keycloak: 31
image 4 - quochung.cyou PTIT
Setting Up n8n SSO with Self-Hosted Keycloak: 32

Export SAML Metadata

  1. Go to Realm Settings > SAML 2.0 Identity Provider Metadata.
  2. Download the XML file or copy the metadata URL (e.g., https://auth.example.com/realms/n8n-realm/protocol/saml/descriptor).
image 9 - quochung.cyou PTIT
Setting Up n8n SSO with Self-Hosted Keycloak: 33
image 10 - quochung.cyou PTIT
Setting Up n8n SSO with Self-Hosted Keycloak: 34

Setup the N8N use SAML metadata

image 11 - quochung.cyou PTIT
Setting Up n8n SSO with Self-Hosted Keycloak: 35

Edit metadata

Locate <md:IDPSSODescriptor WantAuthnRequestsSigned=”true” in the XML, and change true to false

Final gonna look like <md:IDPSSODescriptor WantAuthnRequestsSigned=”false”

Test Setting

  1. Open an incognito browser window and navigate to https://n8n.example.com.
  2. You should be redirected to Keycloak’s login page.
  3. Log in with a Keycloak user (create one in Users > Add User if needed, ensuring the email matches an n8n user).
  4. Upon successful authentication, you should be redirected to n8n’s dashboard.

Tags:

Comments

No comments yet. Why don’t you start the discussion?

    Leave a Reply