Cloudron Forum

@nebulon has fixed this now for the next release. The first login (from admin setup or via invite) of admin account and normal users now has an OIDC session automatically. This means that when you click the first OIDC app, you are logged in automatically.

OK.

This was very exciting.

I read some documentation. Specifically, https://docs.opnsense.org/manual/how-tos/nat_reflection.html.

Once I slowed down, undid all the weird thrashing I did with various DNS shortcuts for route domains internally/directly (e.g. changing my unbound config, or creating aliases for my domain), and instead read the documentation for both reflection and hairpin NAT in OpnSense, I was good to go.

Thank you for joining me on this journey where I create noise on the forum and discover that, by reading the manual, I can solve my own problems. 🙂

The package with OpenID integration for Cloudron SSO is released. However this currently only works with new app instances.

@cbeams Whoops, you are right. It's indeed bookstack and not wikijs!

Also, I think using cloudflare as a front to wikijs should work. Let us know if it doesn't.

Agree, thanks for putting the links @fbartels . I will close that thread here in favor of the others.

i didn't know cloudron was like active directory. or had active directory builtin.

The following configuration needs to be added to the identifier registration of Kopano Konnect to enable SSO with Rocketchat:

- id: rocketchat.9wd.eu name: Rocketchat trusted: true application_type: web redirect_uris: - https://rocketchat.9wd.eu/_oauth/konnect

Remember to restart Konnect after modifying the registry. If you want to verify that the configuration was properly loaded you have to modify log_level in /app/data/konnectd.cfg to read /app/data/konnectd.cfg. With another restart Konnect will then print a message like the following at startup:

Apr 20 20:21:30 time="2020-04-20T18:21:30Z" level=debug msg="registered client" application_type=web client_id=rocketchat.9wd.eu insecure=false origins="[https://rocketchat.9wd.eu]" redirect_uris="[https://rocketchat.9wd.eu/_oauth/konnect]" trusted=true with_client_secret=false

In Rocket.chat the following configuration needs to be added. For this go into the admin backend, select "OAuth" and there "Add custom oauth". I am using the following settings:

URL: https://meet.9wd.eu Token Path: /konnect/v1/token Token Sent Via: Header Identity Token Sent Via: Same as "Token Sent Via" Identity Path: /konnect/v1/userinfo Authorize Path: /signin/v1/identifier/_/authorize Scope: openid profile email Id: rocketchat.9wd.eu Secret: rocketchat Login Style: Default Button Text: Kopano Konnect (needs to be something the user can relate to) Button Text Color: #FFFFFF Button Color: #13679A Username field: preferred_username Merge users: false

After storing these log out of Rocket.chat and you will see a new button on your login page titled "Kopano Konnect", which will then use the new login method.

@thetomester13 said in I am missing (real) SSO:

@jdaviescoates I took a quick look at some video tutorials, but I didn't see how Keycloak would be able to log the user into other applications without having said application specifically implementing the Keycloak integration.

You've already looked into it more than me. I guess Indiehosters have implemented Keycloak integration into the apps they've integrated in their Liiibre service (perhaps they maintain forks or something, or have contributed upstream).