Project:Infrastructure/Single Sign-on

Keycloak
Keycloak is currently used to implement a Single sign-on (SSO) for Gentoo developers. It is currently deployed on sso.gentoo.org (tyrant) and sso-fallback.gentoo.org (gadwall).

Realms
Keycloak has two realms today.


 * 1) Admin: This realm is to administer the keycloak deployment. It has significantly more restrictions on credentials; normal users don't use this realm and don't have accounts here.
 * 2) Gentoo: This realm is slaved to ldap.gentoo.org and is otherwise readonly for most attributes.

Deployment
Keycloak is deployed using docker containers. Postgres is used as database.

State is generally kept in /var/lib/keycloak and these are mounted in various places in the containers to sustain state between container deployments.

TODOs

 * 1) Move the secrets in the puppet module to eyaml
 * 2) Set up database replication
 * 3) Mount the keycloak config in the container
 * 4) check keycloak config into puppet.