diff --git a/.wordlist.txt b/.wordlist.txt index 5b72228e360..44c51cbb1d6 100644 --- a/.wordlist.txt +++ b/.wordlist.txt @@ -1612,3 +1612,14 @@ subcommand toolset toolsets wix + + content/knowledge_base/tips/setup_keycloak.md +-------------------------------------------------------------------------------- +Authentik +Keycloak +Keycloak's +OpenID +Zitadel +acknowledgement +multifactor +themeable \ No newline at end of file diff --git a/content/knowledge_base/tips/setup_keycloak.md b/content/knowledge_base/tips/setup_keycloak.md new file mode 100644 index 00000000000..854d8797070 --- /dev/null +++ b/content/knowledge_base/tips/setup_keycloak.md @@ -0,0 +1,384 @@ +# How to set up OIDC authentication using Keycloak + +This guide walks you through the configuration of +[Keycloak](https://www.keycloak.org/) as an OIDC authentication provider for +Velociraptor. + +Keycloak, as a self-hosted, free, and open source solution, may be an attractive +choice for Velociraptor deployments where using cloud-based and/or commercial +providers is not practical or possible. Most of the steps shown here would be +the same or similar for other self-hosted OIDC solutions (for example Zitadel or +Authentik), so it may be useful even if you are not using Keycloak. + +{{% notice warning "Production deployment of Keycloak" %}} + +Keycloak is a Java application which can be installed manually or deployed via +several officially documented container-based methods. This guide partly mirrors Keycloak's +[Getting started guide](https://www.keycloak.org/getting-started/getting-started-docker) +which uses Docker to create a _"development mode" instance_ of Keycloak. This +method starts a working Keycloak instance but does not create a persistent +database or a production-ready secured server, since the goal here is only to +demonstrate the integration with Velociraptor. + +For production-ready deployment guidance we refer you to +[Configuring Keycloak for production](https://www.keycloak.org/server/configuration-production) +and the official [Keycloak documentation](https://www.keycloak.org/documentation). + +{{% /notice %}} + +As mentioned above, the goal of this guide is to demonstrate a working SSO +configuration for Velociraptor using Keycloak. The basic steps and configuration +will be very similar or even identical for production deployments however some +of the steps shown here are deliberately over-simplified for reasons of brevity +and therefore do not reflect security best practices. Also Keycloak has a vast +array of options and capabilities, which we recommend you explore later, but the +intention here is to get up and running with a basic working integration since +it is better to start simple and be sure that it's working as expected before +possibly adding complexity to it. + +In this simplified setup we have two hosts, with DNS names `keycloak.local` and +`velociraptor.local`. Substitute your DNS names where applicable. The two hosts +don't need to be on the same network but the Velociraptor host needs to be able +to DNS-resolve the name of the Keycloak server and reach it on port 443. It's +not necessary that the Keycloak server be able to resolve the Velociraptor +server's DNS name but your server probably already has a DNS name already so +that clients can connect to it. + +![Network overview](network_overview.svg) + +The high-level steps of this setup process are: + +1. Create a self-hosted Docker-based Keycloak instance. +2. Configure an authentication realm, OIDC client and test users in Keycloak. +3. Configure the authentication provider in Velociraptor. +4. Add test users to Velociraptor. +5. Test the authentication process. + + +## Create a Docker-based Keycloak instance + +We assume that Docker has already been installed and configured on the +designated Keycloak host. We aren't going to use Docker Compose but for +production deployment you might prefer to do so, and example configurations can +be found on the internet. + +Before we install Keycloak we are going to need a certificate for it to use. Here +we will generate a simple self-signed cert with corresponding private key but ideally in +production you would have a cert signed by a trusted CA. + +**1. Generate a key pair** + +```sh +# Create keycloak-server.crt.pem and keycloak-server.key.pem +openssl req -newkey rsa:2048 -nodes -subj "/CN=keycloak.local" \ +-addext "subjectAltName=DNS:keycloak.local,IP:192.168.56.1" \ +-keyout keycloak-server.key.pem -x509 -days 3650 -out keycloak-server.crt.pem +# Set appropriate permissions on files +chmod -R 644 keycloak-server* +``` + +NOTE: The certificate SAN is required by Velociraptor. If not present you will receive +this error when trying to start Velociraptor.\ +`error: gui: starting frontend: Get "https://keycloak.local/.well-known/openid-configuration": x509: certificate relies on legacy Common Name field, use SANs instead`\ +Putting the IP in the SAN is not really necessary but helpful if you need to +connect to Keycloak's admin page using it's IP. + +Now that we have the key pair we can run Docker which will pull the latest +Keycloak image (26.0.7 at the time of writing). + +**2. Run the Docker command.** + +```sh +docker run -p 443:443 -e KC_HOSTNAME=keycloak.local \ +-e KC_BOOTSTRAP_ADMIN_USERNAME=admin -e KC_BOOTSTRAP_ADMIN_PASSWORD=admin \ +-v /root/keycloak-server.crt.pem:/etc/x509/https/keycloak-server.crt.pem \ +-v /root/keycloak-server.key.pem:/etc/x509/https/keycloak-server.key.pem \ +-e KC_HTTPS_CERTIFICATE_FILE=/etc/x509/https/keycloak-server.crt.pem \ +-e KC_HTTPS_CERTIFICATE_KEY_FILE=/etc/x509/https/keycloak-server.key.pem \ +quay.io/keycloak/keycloak:latest start-dev --https-port=443 +``` + +We set various Keycloak config options as Docker environment variables and +make the cert and private key available inside the Docker using volume mapping. + +If the Docker fails to start, you should inspect the command output for errors. +If successful it should report +`Listening on: http://0.0.0.0:8080 and https://0.0.0.0:443`. + +The KC_BOOTSTRAP* variables create an initial user `admin` with password +`admin` which we use to configure Keycloak in the next section. + +## Configure Keycloak + +Next we go through the steps that are almost the same as described in Keycloak's +[Getting started guide](https://www.keycloak.org/getting-started/getting-started-docker). + +Connect to Keycloak's Admin Console (in this case: https://keycloak.local) and +log in with the `admin` user. + +**3. Create an authentication realm** + +![](keycloak00.png) + +You can use any name for the realm but here we are going to just use `myrealm` +for convenience. + +![](keycloak01.png) + +Click **Create**. + +**4. Create OIDC client configuration for Velociraptor** + +In this step we create a new client record and client secret which we will use +later in the Velociraptor configuration. In the realm selection drop-down ensure +that you are in the new `myrealm` realm. + +In the sidebar select **Clients** and then select **Create client**. + +![](keycloak02.png) + +This will start a 3-page configuration wizard. On the first page the **Client +ID** is all that's required. Enter `velociraptor` and click **Next**. + +![](keycloak03.png) + +On the second page, choose **Client authentication: ON** and +**Authentication flow: Standard flow** (only). Then click **Next**. + +![](keycloak04.png) + +On the third page we use the following values (adapt to your DNS names if your +are replicating the setup in your own environment): + +- Valid redirect URIs: `https://velociraptor.local:8889/auth/oidc/keycloak/callback` +- Valid post logout redirect URIs: + `https://velociraptor.local:8889/app/logoff.html` +- Web origins: `https://velociraptor.local` + +![](keycloak05.png) + +Then click **Save**. Your OIDC client configuration is now created. + +On the page that follows, go to the **Credentials** tab. There you will find the +**Client secret** which you will need for your Velociraptor configuration. It is +randomly generated and you can regenerate it if desired, but if you do so then +don't forget to update your Velociraptor server's config with the new secret. +Typically you would only regenerate it if you suspected a compromised secret. + +![](keycloak06.png) + +The next action is to configure email addresses as login usernames. To do that +navigate via the sidebar to **Realm settings** > **Login** tab. Ensure that +**Email as username** and **Login with email** are enabled. The additional user +preferences shown in the following screenshot are optional and in your case +would be determined by your organizational policies. + +![](keycloak08.png) + +The last action in this step is to configure the required actions for +authentication so that users don't have to enter additional information when +they first log in. +Navigate via the sidebar to **Authentication** > **Required actions** tab. +Disable all options except **Update password**. + +**5. Create test users** + +We will need at least one user account to test the authentication. From the +sidebar select **Users** and then click the **Create new user** button. + +![](keycloak07.png) + +For the user account I am going to create one named `bob@local`. Remember that +we previously enabled **Email as username** and **Login with email**, so all +other fields are optional. I also selected **Email verified** to avoid an email +verification step when logging in. + +![](keycloak09.png) + +After creating the account, go to the Credentials tab and set a password. Note +that we leave **Temporary:ON** set so that the password must be changed on first +logon. Note also that this is a simplified demonstration so for that reason +we're ONLY using password auth while Keycloak easily supports multi-factor +authentication. + +![](keycloak10.png) + +Repeat the user creation actions to also create a user account +`fred@local`. + +![](keycloak11.png) + +Now we are ready to move to configuring the Velociraptor side of things. + +## Configure Velociraptor + +{{% notice tip %}} + +While configuring, testing and potentially troubleshooting problems, it's +easier if you can see Velociraptor's log messages. You can stop the server +service and then run the server manually on the command line by using the +following commands: + +```bash +sudo systemctl stop velociraptor_server +sudo -u velociraptor bash +velociraptor -c /etc/velociraptor/server.config.yaml frontend -v +``` + +This will display the log messages in the terminal. + +{{% /notice %}} + +**6. Add the authenticator settings to your Velciraptor config** + +In the `GUI` section of your Velociraptor config you should have the following +authenticator settings by default: + +```yaml + authenticator: + type: Basic +``` + +We no longer want Basic auth and instead want SSO, so replace that with these +new settings to match our Keycloak configuration: + +```yaml + type: oidc + oidc_issuer: https://keycloak.local/realms/myrealm + oidc_name: keycloak + avatar: https://www.keycloak.org/resources/images/logo.svg + oauth_client_id: velociraptor + oauth_client_secret: p4EABoniopnasbrmstDnsHrQcSukNmp2 +``` + +The `oauth_client_secret` is the value we obtained at the end of step 4. The +`oauth_client_id` is the name we used for the OIDC Client ID in that same +section. + +The `oidc_name` can be anything you want but it must exactly match +(case-sensitive) the substring used in the **Valid redirect URIs** field of the +client configuration in Keycloak. + +Keycloak requires that the `oidc_issuer` field specify the path +`/realms/myrealm` as this is where is serves the OpenID Endpoint Configuration +that Velociraptor will need to access. If you have somehow gotten this wrong +then Velociraptor will log an error such as: +`[ERROR] can not get information from OIDC provider, check https://keycloak.local/.well-known/openid-configuration is correct and accessible from the server.` + +Before you start Velociraptor, if you are using a self-signed cert for Keycloak +then also attend to the next step. + +**7. Copy the Keycloak server cert to the trusted root store.** + +Because the Keycloak server is using a certificate that wasn't issued by a +trusted CA, we need to add it's certificate to the trusted root store on the +Velociraptor server. Assuming your server is Ubuntu or similar this means saving +a copy of the certificate to `/etc/ssl/certs`. + +Without this step you will see this error in the log when attempting to start +Velociraptor: +`error: gui: starting frontend: Get "https://keycloak.local/...": x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "keycloak.local")` + +**8. Start Velociraptor** + +The server should now start cleanly and continue running. In the log messages +you should see `GUI will use the oidc authenticator`. That means everything is +OK with the authenticator config. + +One possible gotcha is if the server's `GUI.public_url` setting is still using +an IP address or if `GUI.bind_address` is not set to `0.0.0.0` then you may get +stopped with the error: +`error: gui: starting frontend: Authentication type 'oidc' requires valid public_url parameter` + +In this case the `GUI.public_url` is set to `https://velociraptor.local:8889/`. + + +## Add test users + +We have created 2 users in Keycloak but these users don't yet exist in +Velociraptor. Velociraptor has it's own permissions model and therefore needs to +know about any users so that once they authenticate the correct permissions can +be applied. + +Users can be created using VQL in Velociraptor notebooks but since we have now +switched authentication providers we no longer have access to the GUI. Of course +we could have added the users before we switched but let's pretend we didn't and +instead do it from the command line. + +We will make `bob@local` a server admin and grant `fred@local` the "reader" +role, which provides minimal access to Velociraptor's GUI. The following two +commands will create these users: + +**9. Add users to the datastore** + +```sh +velociraptor --config server.config.yaml user add --role administrator bob@local +velociraptor --config server.config.yaml user add --role reader fred@local +``` + +NOTE: We provide the `--config` flag so that this invocation of the velociraptor +binary knows which datastore to add the new users to. This can be done while the +server service is running or not running, but either way the service will need +to be restarted to update itself with the datastore changes. + +Because of our OIDC authenticator config, when adding each user we will receive +an acknowledgement message saying +`"Authentication will occur via oidc - therefore no password needs to be set."` + +## Test authentication process + +Test the authentication process by going to `https://velociraptor.local:8889/` + +You will be presented with the choice to log in with Keycloak (multiple +authentication providers are supported but we only have one configured). + +![](auth00.png) + +Enter initial credentials (password that was set in Keycloak). + +![Login page](auth01.png) + +You will be required to change the password because we configured +**Temporary:ON** when setting the account's password. + +![Change the password](auth02.png) + +![Successful login!](auth03.png) + +![We can verify that the user has the server admin role.](auth04.png) + +![We can sign out... and sign in again.](auth05.png) + +The same process applies to `fred@local` except that we can verify in +Velociraptor that the user has the read-only role. + +{{% notice tip %}} + +For testing multiple users in the same web browser you may have trouble +fully logging a user out because while logged out of Velociraptor the OIDC +session is still active. + +Logout of the OIDC session can be achieved by +navigating to the the endpoint +`https://keycloak.local/realms/myrealm/protocol/openid-connect/logout` +from within the same web browser and choosing to log out. + +{{% /notice %}} + +## What next? + +Once you have the working authentication setup, as per this guide, then you can +begin experimenting with additional options while knowing that any change which +causes a negative effect can be reverted back to a known working state. This is +a much easier approach than diving in with a complex configuration and spending +hours troubleshooting why it doesn't work. + +Since the Docker installation used in the guide is non-permanent it will reset +when you restart the docker VM. For testing and experimenting that's a good +thing as you gain familiarity by going through the process. As mentioned, +Keycloak supports multifactor authentication, complex authentication flow +options, themeable login screens, and many other cool features. However for +permanent configuration you will need to learn how to create a persistent +Keycloak database, possibly using a different deployment method. + +Tags: #configuration #sso #deployment \ No newline at end of file diff --git a/content/knowledge_base/tips/setup_keycloak/auth00.png b/content/knowledge_base/tips/setup_keycloak/auth00.png new file mode 100644 index 00000000000..a3814d82ef4 Binary files /dev/null and b/content/knowledge_base/tips/setup_keycloak/auth00.png differ diff --git a/content/knowledge_base/tips/setup_keycloak/auth01.png b/content/knowledge_base/tips/setup_keycloak/auth01.png new file mode 100644 index 00000000000..d6cf4f423cd Binary files /dev/null and b/content/knowledge_base/tips/setup_keycloak/auth01.png differ diff --git a/content/knowledge_base/tips/setup_keycloak/auth02.png b/content/knowledge_base/tips/setup_keycloak/auth02.png new file mode 100644 index 00000000000..5b88a1a1633 Binary files /dev/null and b/content/knowledge_base/tips/setup_keycloak/auth02.png differ diff --git a/content/knowledge_base/tips/setup_keycloak/auth03.png b/content/knowledge_base/tips/setup_keycloak/auth03.png new file mode 100644 index 00000000000..574799b067b Binary files /dev/null and b/content/knowledge_base/tips/setup_keycloak/auth03.png differ diff --git a/content/knowledge_base/tips/setup_keycloak/auth04.png b/content/knowledge_base/tips/setup_keycloak/auth04.png new file mode 100644 index 00000000000..834ed173d61 Binary files /dev/null and b/content/knowledge_base/tips/setup_keycloak/auth04.png differ diff --git a/content/knowledge_base/tips/setup_keycloak/auth05.png b/content/knowledge_base/tips/setup_keycloak/auth05.png new file mode 100644 index 00000000000..5a69d9477c2 Binary files /dev/null and b/content/knowledge_base/tips/setup_keycloak/auth05.png differ diff --git a/content/knowledge_base/tips/setup_keycloak/keycloak00.png b/content/knowledge_base/tips/setup_keycloak/keycloak00.png new file mode 100644 index 00000000000..dded5375a9d Binary files /dev/null and b/content/knowledge_base/tips/setup_keycloak/keycloak00.png differ diff --git a/content/knowledge_base/tips/setup_keycloak/keycloak01.png b/content/knowledge_base/tips/setup_keycloak/keycloak01.png new file mode 100644 index 00000000000..e3558e259ab Binary files /dev/null and b/content/knowledge_base/tips/setup_keycloak/keycloak01.png differ diff --git a/content/knowledge_base/tips/setup_keycloak/keycloak02.png b/content/knowledge_base/tips/setup_keycloak/keycloak02.png new file mode 100644 index 00000000000..ad24b05aa9c Binary files /dev/null and b/content/knowledge_base/tips/setup_keycloak/keycloak02.png differ diff --git a/content/knowledge_base/tips/setup_keycloak/keycloak03.png b/content/knowledge_base/tips/setup_keycloak/keycloak03.png new file mode 100644 index 00000000000..87fd4c13d74 Binary files /dev/null and b/content/knowledge_base/tips/setup_keycloak/keycloak03.png differ diff --git a/content/knowledge_base/tips/setup_keycloak/keycloak04.png b/content/knowledge_base/tips/setup_keycloak/keycloak04.png new file mode 100644 index 00000000000..eb2219e17d6 Binary files /dev/null and b/content/knowledge_base/tips/setup_keycloak/keycloak04.png differ diff --git a/content/knowledge_base/tips/setup_keycloak/keycloak05.png b/content/knowledge_base/tips/setup_keycloak/keycloak05.png new file mode 100644 index 00000000000..9c929fa6b93 Binary files /dev/null and b/content/knowledge_base/tips/setup_keycloak/keycloak05.png differ diff --git a/content/knowledge_base/tips/setup_keycloak/keycloak06.png b/content/knowledge_base/tips/setup_keycloak/keycloak06.png new file mode 100644 index 00000000000..57683221479 Binary files /dev/null and b/content/knowledge_base/tips/setup_keycloak/keycloak06.png differ diff --git a/content/knowledge_base/tips/setup_keycloak/keycloak07.png b/content/knowledge_base/tips/setup_keycloak/keycloak07.png new file mode 100644 index 00000000000..3bc7685992a Binary files /dev/null and b/content/knowledge_base/tips/setup_keycloak/keycloak07.png differ diff --git a/content/knowledge_base/tips/setup_keycloak/keycloak08.png b/content/knowledge_base/tips/setup_keycloak/keycloak08.png new file mode 100644 index 00000000000..0cfe189ada8 Binary files /dev/null and b/content/knowledge_base/tips/setup_keycloak/keycloak08.png differ diff --git a/content/knowledge_base/tips/setup_keycloak/keycloak081.png b/content/knowledge_base/tips/setup_keycloak/keycloak081.png new file mode 100644 index 00000000000..13fff7a9190 Binary files /dev/null and b/content/knowledge_base/tips/setup_keycloak/keycloak081.png differ diff --git a/content/knowledge_base/tips/setup_keycloak/keycloak09.png b/content/knowledge_base/tips/setup_keycloak/keycloak09.png new file mode 100644 index 00000000000..fcf079b6dc1 Binary files /dev/null and b/content/knowledge_base/tips/setup_keycloak/keycloak09.png differ diff --git a/content/knowledge_base/tips/setup_keycloak/keycloak10.png b/content/knowledge_base/tips/setup_keycloak/keycloak10.png new file mode 100644 index 00000000000..5e9c8b45f23 Binary files /dev/null and b/content/knowledge_base/tips/setup_keycloak/keycloak10.png differ diff --git a/content/knowledge_base/tips/setup_keycloak/keycloak11.png b/content/knowledge_base/tips/setup_keycloak/keycloak11.png new file mode 100644 index 00000000000..8e1e1ad6bb1 Binary files /dev/null and b/content/knowledge_base/tips/setup_keycloak/keycloak11.png differ diff --git a/content/knowledge_base/tips/setup_keycloak/network_overview.excalidraw b/content/knowledge_base/tips/setup_keycloak/network_overview.excalidraw new file mode 100644 index 00000000000..246dcefd56f --- /dev/null +++ b/content/knowledge_base/tips/setup_keycloak/network_overview.excalidraw @@ -0,0 +1,989 @@ +{ + "type": "excalidraw", + "version": 2, + "source": "https://excalidraw.com", + "elements": [ + { + "id": "OASUbis4fdyAGsgo3_5NL", + "type": "text", + "x": 920, + "y": 327.5, + "width": 180, + "height": 25, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [ + "ApWRNd72YOw7xCf35_u6O" + ], + "frameId": null, + "index": "b9iV", + "roundness": null, + "seed": 1591193459, + "version": 109, + "versionNonce": 1738375197, + "isDeleted": false, + "boundElements": null, + "updated": 1735324012865, + "link": null, + "locked": false, + "text": "velociraptor.local", + "fontSize": 20, + "fontFamily": 5, + "textAlign": "center", + "verticalAlign": "top", + "containerId": null, + "originalText": "velociraptor.local", + "autoResize": false, + "lineHeight": 1.25 + }, + { + "id": "A3mMjkn9XVXUsHkLDhWTh", + "type": "rectangle", + "x": 900, + "y": 300, + "width": 219.99999999999997, + "height": 80, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [ + "ApWRNd72YOw7xCf35_u6O" + ], + "frameId": null, + "index": "b9j", + "roundness": { + "type": 3 + }, + "seed": 2102948851, + "version": 63, + "versionNonce": 1415403059, + "isDeleted": false, + "boundElements": [ + { + "id": "vWAF1ijuR5sWA6ytrODJJ", + "type": "arrow" + } + ], + "updated": 1735399206943, + "link": null, + "locked": false + }, + { + "id": "u8KHrsMWUULONIapgHb8p", + "type": "text", + "x": 490, + "y": 327.5, + "width": 202.99999999999997, + "height": 25, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [ + "r12pqXKul7qBKgxnq1KU_" + ], + "frameId": null, + "index": "b9jV", + "roundness": null, + "seed": 666553235, + "version": 115, + "versionNonce": 237135805, + "isDeleted": false, + "boundElements": null, + "updated": 1735398547181, + "link": null, + "locked": false, + "text": "keycloak.local", + "fontSize": 20, + "fontFamily": 5, + "textAlign": "center", + "verticalAlign": "top", + "containerId": null, + "originalText": "keycloak.local", + "autoResize": false, + "lineHeight": 1.25 + }, + { + "id": "JXTkVWYDd3e_t3zZDNReT", + "type": "rectangle", + "x": 481.5, + "y": 300, + "width": 219.99999999999997, + "height": 80, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [ + "r12pqXKul7qBKgxnq1KU_" + ], + "frameId": null, + "index": "b9k", + "roundness": { + "type": 3 + }, + "seed": 1594833043, + "version": 85, + "versionNonce": 299324883, + "isDeleted": false, + "boundElements": [ + { + "id": "eb06lrqjo-LyMd0S_Lh8q", + "type": "arrow" + } + ], + "updated": 1735399229378, + "link": null, + "locked": false + }, + { + "id": "kuHqChbxI6aTZEc9d2cKi", + "type": "arrow", + "x": 712.5150237428315, + "y": 338.96543240222326, + "width": 169.4948340376548, + "height": 0.02801531999866928, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "dashed", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b9p", + "roundness": { + "type": 2 + }, + "seed": 752266099, + "version": 303, + "versionNonce": 279588605, + "isDeleted": false, + "boundElements": [], + "updated": 1735399233389, + "link": null, + "locked": false, + "points": [ + [ + 0, + -1.002970259441968 + ], + [ + 88.9344259837313, + -0.9750649841217048 + ], + [ + 169.4948340376548, + -1.003080304120374 + ] + ], + "lastCommittedPoint": null, + "startBinding": null, + "endBinding": null, + "startArrowhead": "arrow", + "endArrowhead": null, + "elbowed": false + }, + { + "id": "vWAF1ijuR5sWA6ytrODJJ", + "type": "arrow", + "x": 907, + "y": 478, + "width": 46, + "height": 80, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "bA3", + "roundness": { + "type": 2 + }, + "seed": 2075391165, + "version": 134, + "versionNonce": 1321700787, + "isDeleted": false, + "boundElements": null, + "updated": 1735399180442, + "link": null, + "locked": false, + "points": [ + [ + 0, + 0 + ], + [ + 23, + -39 + ], + [ + 46, + -80 + ] + ], + "lastCommittedPoint": null, + "startBinding": null, + "endBinding": { + "elementId": "A3mMjkn9XVXUsHkLDhWTh", + "focus": 0.18471454880294663, + "gap": 18, + "fixedPoint": null + }, + "startArrowhead": null, + "endArrowhead": "arrow", + "elbowed": false + }, + { + "id": "DokUQ9yti1mblRfmO8Fsr", + "type": "text", + "x": 521.5, + "y": 260, + "width": 140, + "height": 20, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "dashed", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "bA5", + "roundness": null, + "seed": 1833141757, + "version": 33, + "versionNonce": 854115549, + "isDeleted": false, + "boundElements": null, + "updated": 1735398554939, + "link": null, + "locked": false, + "text": "OIDC Provider", + "fontSize": 16, + "fontFamily": 5, + "textAlign": "center", + "verticalAlign": "top", + "containerId": null, + "originalText": "OIDC Provider", + "autoResize": false, + "lineHeight": 1.25 + }, + { + "id": "VHKAXojUTvGQ0142mkiwo", + "type": "text", + "x": 940, + "y": 260, + "width": 140, + "height": 20, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "dashed", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "bA7", + "roundness": null, + "seed": 1351823645, + "version": 78, + "versionNonce": 1403920371, + "isDeleted": false, + "boundElements": null, + "updated": 1735398576143, + "link": null, + "locked": false, + "text": "OIDC Client", + "fontSize": 16, + "fontFamily": 5, + "textAlign": "center", + "verticalAlign": "top", + "containerId": null, + "originalText": "OIDC Client", + "autoResize": false, + "lineHeight": 1.25 + }, + { + "type": "rectangle", + "version": 724, + "versionNonce": 1476532541, + "index": "bA8", + "isDeleted": false, + "id": "mwCmLQK0y9RB4zQS9ONGU", + "fillStyle": "solid", + "strokeWidth": 1, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 817.1143342216468, + "y": 500, + "strokeColor": "#000000", + "backgroundColor": "transparent", + "width": 127.88383573213892, + "height": 76.53703389977764, + "seed": 279827987, + "groupIds": [ + "4Ei2iMZcqy1Wo7Qek4Bz4", + "rG1jH_uV0NMaEdY4OgnZR" + ], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1735398855573, + "link": null, + "locked": false + }, + { + "type": "line", + "version": 507, + "versionNonce": 1024488541, + "index": "bA9", + "isDeleted": false, + "id": "bUsjrvKhg7nV7tXCwHTxL", + "fillStyle": "solid", + "strokeWidth": 1, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 816.0387364707516, + "y": 510.71653439224417, + "strokeColor": "#000000", + "backgroundColor": "transparent", + "width": 128.84193229844433, + "height": 0, + "seed": 2001705907, + "groupIds": [ + "4Ei2iMZcqy1Wo7Qek4Bz4", + "rG1jH_uV0NMaEdY4OgnZR" + ], + "frameId": null, + "roundness": { + "type": 2 + }, + "boundElements": [], + "updated": 1735398794507, + "link": null, + "locked": false, + "startBinding": null, + "endBinding": null, + "lastCommittedPoint": null, + "startArrowhead": null, + "endArrowhead": null, + "points": [ + [ + 0, + 0 + ], + [ + 128.84193229844433, + 0 + ] + ] + }, + { + "type": "ellipse", + "version": 326, + "versionNonce": 521920701, + "index": "bAA", + "isDeleted": false, + "id": "faEKz6Gr1CfmS9kq0fq8I", + "fillStyle": "solid", + "strokeWidth": 1, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 821.6023696906017, + "y": 504.2715698000088, + "strokeColor": "#000000", + "backgroundColor": "#fa5252", + "width": 5.001953125, + "height": 5.001953125, + "seed": 1558687059, + "groupIds": [ + "4Ei2iMZcqy1Wo7Qek4Bz4", + "rG1jH_uV0NMaEdY4OgnZR" + ], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1735398794507, + "link": null, + "locked": false + }, + { + "type": "ellipse", + "version": 371, + "versionNonce": 431669533, + "index": "bAB", + "isDeleted": false, + "id": "ogjW0W714BKt-eOsC0rwU", + "fillStyle": "solid", + "strokeWidth": 1, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 831.8650650031017, + "y": 504.2715698000088, + "strokeColor": "#000000", + "backgroundColor": "#fab005", + "width": 5.001953125, + "height": 5.001953125, + "seed": 617384691, + "groupIds": [ + "4Ei2iMZcqy1Wo7Qek4Bz4", + "rG1jH_uV0NMaEdY4OgnZR" + ], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1735398794507, + "link": null, + "locked": false + }, + { + "type": "ellipse", + "version": 429, + "versionNonce": 845059453, + "index": "bAC", + "isDeleted": false, + "id": "YSPxHMlm-vo1M6m3bRWfP", + "fillStyle": "solid", + "strokeWidth": 1, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 842.5784814694479, + "y": 504.722290953855, + "strokeColor": "#000000", + "backgroundColor": "#40c057", + "width": 5.001953125, + "height": 5.001953125, + "seed": 59028627, + "groupIds": [ + "4Ei2iMZcqy1Wo7Qek4Bz4", + "rG1jH_uV0NMaEdY4OgnZR" + ], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1735398794507, + "link": null, + "locked": false + }, + { + "type": "ellipse", + "version": 708, + "versionNonce": 1145626077, + "index": "bAD", + "isDeleted": false, + "id": "Q8rEzCuw8ASpfHzMbl0Ot", + "fillStyle": "solid", + "strokeWidth": 1, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 90, + "angle": 0, + "x": 858.6055424590751, + "y": 520.7746598318708, + "strokeColor": "#000000", + "backgroundColor": "#04aaf7", + "width": 42.72020253937572, + "height": 42.72020253937572, + "seed": 1489414707, + "groupIds": [ + "4Ei2iMZcqy1Wo7Qek4Bz4", + "rG1jH_uV0NMaEdY4OgnZR" + ], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1735398794507, + "link": null, + "locked": false + }, + { + "type": "line", + "version": 1326, + "versionNonce": 1183521341, + "index": "bAE", + "isDeleted": false, + "id": "Y_NaAOKdeceKUnbN7PKDB", + "fillStyle": "solid", + "strokeWidth": 1, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 885.6837065210507, + "y": 536.9990118963285, + "strokeColor": "#087f5b", + "backgroundColor": "#40c057", + "width": 28.226201983883442, + "height": 24.441122842819972, + "seed": 1232661459, + "groupIds": [ + "4Ei2iMZcqy1Wo7Qek4Bz4", + "rG1jH_uV0NMaEdY4OgnZR" + ], + "frameId": null, + "roundness": { + "type": 2 + }, + "boundElements": [], + "updated": 1735398794507, + "link": null, + "locked": false, + "startBinding": null, + "endBinding": null, + "lastCommittedPoint": null, + "startArrowhead": null, + "endArrowhead": null, + "points": [ + [ + 0, + 0 + ], + [ + -1.8305638688608794, + -0.4146385831511896 + ], + [ + -7.572250391862635, + -6.271625431345418 + ], + [ + -11.35769254157424, + -4.347633009945142 + ], + [ + -12.611765400987878, + 2.3733287939365098 + ], + [ + -11.26889653301009, + 6.740045588043412 + ], + [ + -17.42450906516472, + 8.886103861507927 + ], + [ + -17.203202089974113, + 13.643170786196503 + ], + [ + -12.380895778721076, + 13.349974465892952 + ], + [ + -8.695178377089249, + 9.477701170522828 + ], + [ + -3.6201449645383086, + 17.867626643824725 + ], + [ + -0.415292101592283, + 18.169497411474552 + ], + [ + -3.7772455950748833, + 4.800439161419844 + ], + [ + 1.3865838260401944, + 4.3476330099451115 + ], + [ + 3.162503997323137, + 5.86739618500973 + ], + [ + 9.236150983110862, + 5.86739618500973 + ], + [ + 10.80169291871872, + 0.6349695457461695 + ], + [ + 4.221225637895673, + 1.1103292603211785 + ], + [ + 5.486227236824892, + -5.759833037916143 + ], + [ + 2.472627315401658, + -5.345194454764953 + ], + [ + -0.23770008446403423, + -0.9229611976419838 + ], + [ + 0, + 0 + ] + ] + }, + { + "type": "line", + "version": 746, + "versionNonce": 1376176797, + "index": "bAF", + "isDeleted": false, + "id": "3uIFDGHdMsxaDxsfO1G1n", + "fillStyle": "solid", + "strokeWidth": 1, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 90, + "angle": 0, + "x": 859.6646049331026, + "y": 541.7375333950519, + "strokeColor": "#000000", + "backgroundColor": "#99bcff", + "width": 42.095115772272244, + "height": 0, + "seed": 431094131, + "groupIds": [ + "4Ei2iMZcqy1Wo7Qek4Bz4", + "rG1jH_uV0NMaEdY4OgnZR" + ], + "frameId": null, + "roundness": { + "type": 2 + }, + "boundElements": [], + "updated": 1735398794507, + "link": null, + "locked": false, + "startBinding": null, + "endBinding": null, + "lastCommittedPoint": null, + "startArrowhead": null, + "endArrowhead": null, + "points": [ + [ + 0, + 0 + ], + [ + 42.095115772272244, + 0 + ] + ] + }, + { + "type": "line", + "version": 2953, + "versionNonce": 1735225085, + "index": "bAG", + "isDeleted": false, + "id": "hD545MEwmBJ3ggdiFe_qB", + "fillStyle": "solid", + "strokeWidth": 1, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 90, + "angle": 0, + "x": 864.759933962877, + "y": 526.3030044680856, + "strokeColor": "#000000", + "backgroundColor": "#99bcff", + "width": 29.31860660384862, + "height": 5.711199931375845, + "seed": 1186485011, + "groupIds": [ + "4Ei2iMZcqy1Wo7Qek4Bz4", + "rG1jH_uV0NMaEdY4OgnZR" + ], + "frameId": null, + "roundness": { + "type": 2 + }, + "boundElements": [], + "updated": 1735398794507, + "link": null, + "locked": false, + "startBinding": null, + "endBinding": null, + "lastCommittedPoint": null, + "startArrowhead": null, + "endArrowhead": null, + "points": [ + [ + 0, + 0 + ], + [ + 0.7724193963150375, + 2.2765797384357125 + ], + [ + 4.103544916365185, + 4.186609221587683 + ], + [ + 8.536129150893453, + 5.343311508306209 + ], + [ + 15.480325949120388, + 5.448716592152419 + ], + [ + 23.583965316012858, + 4.712296432964328 + ], + [ + 28.316582284417855, + 2.033216518393959 + ], + [ + 29.31860660384862, + -0.2624833392234258 + ] + ] + }, + { + "type": "ellipse", + "version": 769, + "versionNonce": 1967163229, + "index": "bAH", + "isDeleted": false, + "id": "AunWpjs9sYGxcBHoYfpCt", + "fillStyle": "solid", + "strokeWidth": 1, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 90, + "angle": 0, + "x": 872.8338498867964, + "y": 519.3921302022782, + "strokeColor": "#000000", + "backgroundColor": "transparent", + "width": 15.528434353116108, + "height": 44.82230388130942, + "seed": 1627551923, + "groupIds": [ + "4Ei2iMZcqy1Wo7Qek4Bz4", + "rG1jH_uV0NMaEdY4OgnZR" + ], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1735398794507, + "link": null, + "locked": false + }, + { + "type": "line", + "version": 3158, + "versionNonce": 500274109, + "index": "bAI", + "isDeleted": false, + "id": "Z8FSwvmyNZUG4tJ3dI3ch", + "fillStyle": "solid", + "strokeWidth": 1, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 90, + "angle": 0, + "x": 866.2758854725029, + "y": 558.0400965265267, + "strokeColor": "#000000", + "backgroundColor": "#99bcff", + "width": 29.31860660384862, + "height": 5.896061363392446, + "seed": 641133139, + "groupIds": [ + "4Ei2iMZcqy1Wo7Qek4Bz4", + "rG1jH_uV0NMaEdY4OgnZR" + ], + "frameId": null, + "roundness": { + "type": 2 + }, + "boundElements": [], + "updated": 1735398794507, + "link": null, + "locked": false, + "startBinding": null, + "endBinding": null, + "lastCommittedPoint": null, + "startArrowhead": null, + "endArrowhead": null, + "points": [ + [ + 0, + 0 + ], + [ + 4.103544916365185, + -4.322122351104391 + ], + [ + 8.536129150893453, + -5.516265043290966 + ], + [ + 15.480325949120388, + -5.625081903117008 + ], + [ + 23.583965316012858, + -4.8648251269605955 + ], + [ + 28.316582284417855, + -2.0990281379671547 + ], + [ + 29.31860660384862, + 0.2709794602754383 + ] + ] + }, + { + "id": "zPjvdE-_zlL6sfSRXsUx2", + "type": "text", + "x": 780, + "y": 600, + "width": 200, + "height": 20, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "dashed", + "roughness": 1, + "opacity": 100, + "groupIds": [ + "rG1jH_uV0NMaEdY4OgnZR" + ], + "frameId": null, + "index": "bAJ", + "roundness": null, + "seed": 188137725, + "version": 53, + "versionNonce": 1027740701, + "isDeleted": false, + "boundElements": null, + "updated": 1735398794507, + "link": null, + "locked": false, + "text": "end user (web browser)", + "fontSize": 16, + "fontFamily": 5, + "textAlign": "center", + "verticalAlign": "top", + "containerId": null, + "originalText": "end user (web browser)", + "autoResize": false, + "lineHeight": 1.25 + }, + { + "id": "eb06lrqjo-LyMd0S_Lh8q", + "type": "arrow", + "x": 708, + "y": 382, + "width": 112, + "height": 96, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "bAK", + "roundness": { + "type": 2 + }, + "seed": 273641629, + "version": 161, + "versionNonce": 374973341, + "isDeleted": false, + "boundElements": null, + "updated": 1735399161909, + "link": null, + "locked": false, + "points": [ + [ + 0, + 0 + ], + [ + 60, + 43 + ], + [ + 112, + 96 + ] + ], + "lastCommittedPoint": null, + "startBinding": { + "elementId": "JXTkVWYDd3e_t3zZDNReT", + "focus": -0.34915848527349236, + "gap": 6.5, + "fixedPoint": null + }, + "endBinding": null, + "startArrowhead": "arrow", + "endArrowhead": null, + "elbowed": false + } + ], + "appState": { + "gridSize": 20, + "gridStep": 5, + "gridModeEnabled": false, + "viewBackgroundColor": "#ffffff" + }, + "files": {} +} \ No newline at end of file diff --git a/content/knowledge_base/tips/setup_keycloak/network_overview.svg b/content/knowledge_base/tips/setup_keycloak/network_overview.svg new file mode 100644 index 00000000000..d36da02ad96 --- /dev/null +++ b/content/knowledge_base/tips/setup_keycloak/network_overview.svg @@ -0,0 +1,10 @@ + + + + + + + + velociraptor.localkeycloak.localOIDC ProviderOIDC Clientend user (web browser) \ No newline at end of file diff --git a/static/kb/data.json b/static/kb/data.json index 5944032e4e2..3999588fa15 100644 --- a/static/kb/data.json +++ b/static/kb/data.json @@ -1,4 +1,24 @@ [ + { + "title": "Set operations in VQL", + "link": "/knowledge_base/tips/set_operations", + "tags": [ + "vql" + ], + "author": "scudette", + "author_avatar": "https://avatars.githubusercontent.com/u/3856546?v=4", + "author_link": "https://github.com/scudette", + "date": "2024-12-16" + }, + { + "title": "How do I get a list of hunts across multiple organizations?", + "link": "/knowledge_base/tips/multi_org", + "tags": [], + "author": "scudette", + "author_avatar": "https://avatars.githubusercontent.com/u/3856546?v=4", + "author_link": "https://github.com/scudette", + "date": "2024-12-06" + }, { "title": "How do I use the files inside the offline collector ZIP?", "link": "/knowledge_base/tips/fuse_mount", @@ -6,8 +26,8 @@ "forensics" ], "author": "scudette", - "author_link": "https://github.com/scudette", "author_avatar": "https://avatars.githubusercontent.com/u/3856546?v=4", + "author_link": "https://github.com/scudette", "date": "2024-11-06" }, { @@ -378,5 +398,18 @@ "author_avatar": "https://avatars.githubusercontent.com/u/3856546?v=4", "author_link": "https://github.com/scudette", "date": "2022-03-21" + }, + { + "title": "How to set up OIDC authentication using Keycloak", + "link": "/knowledge_base/tips/setup_keycloak", + "tags": [ + "configuration", + "sso", + "deployment" + ], + "author": "", + "author_link": "", + "author_avatar": "", + "date": "" } ] \ No newline at end of file