Project:Infrastructure/Single Sign-on

From Gentoo Wiki
Jump to:navigation Jump to:search


Keycloak is currently used to implement a Single sign-on (SSO) for Gentoo developers. It is currently deployed on (tyrant) and (gadwall).


Keycloak has two realms today.

  1. Admin: This realm is to administer the keycloak deployment. It has significantly more restrictions on credentials; normal users don't use this realm and don't have accounts here.
  2. Gentoo: This realm reads from and is otherwise readonly for most attributes.


Keycloak is deployed using docker containers. Postgres is used as database.

State is generally kept in /var/lib/gentoo-sso and these are mounted in various places in the containers to sustain state between container deployments.


Keycloak runs on two machines in an active / passive configuration. On the passive machine, keycloak is not even running. The postgres databases replicate from master => passive using pg_basebackup.


The normal postgres failover documentation should be used:

NOTE: We should dump our realm config every so often so we can reload it.

Service integrations

Service Integration Status Notes
Bugzilla Gatekeeper Not Started We can set bugzilla user_info_class to ENV, CGI
Wiki OpenId Extension Not Started
AWS SAML 2.0 Not Started Use their existing identity provider stuff with SAML 2.0
Gentoo Admin Gatekeeper Not Started Use htpasswd as fallback (i.e. in case sso.g.o is down)
Infrawiki Gatekeeper Not Started Use htpasswd as fallback (i.e. in case sso.g.o is down)
Glsamaker (ruby) Gatekeeper Not Started Set a cookie to integrate with the existing user management
Glsamaker (go) Go OpenId Client Not Started i.e.
Gerrit SAML Not Started
Gitea OAuth2 Not Started -
Forums ? Not Started -


  1. Move the secrets in the puppet module to eyaml (DONE)
  2. Set up database replicatioɳ (DONE)
  3. Mount the keycloak config in the container (DONE)
  4. check keycloak config into puppet (DONE)
  5. Create a Gentoo theme for Keycloak (DONE,
  6. Discuss the design of the Gentoo theme