OIDC integration with Kanidm

[stratself]

Hello, I've successfully integrated my Technitium against Kanidm, with auto-mapping roles for new sign-ups. I'd like to share my configuration here.

Let's assume the setup below:

• Kanidm URL: https://idm.example.com
• Technitium URL: https://dns.testdomain.net:53443

Let's also assume I want to map a Kanidm group called technitium_admins to be Administrators inside Technitium. That group will contain my testuser account.

graph TB
    subgraph "idm.example.com (Kanidm)"
        user:test-user -->|part of| group:technitium_admins
    end
    group:technitium_admins -->|claim:roles:admin|dns["dns.testdomain.net:53443 (Technitium)"]

Loading

Kanidm

First, login to kanidm with the CLI and follow the prompts:

export KANIDM_URL=https://idm.example.com && kanidm login -D testuser

Then, create a new group called technitium_admins, and add my user to it:

kanidm group create technitium_admins
kanidm group add-members technitium_admins testuser

Next, create an OAuth2 client object called technitium with relevant Technitium URLs. We will then add the appropriate scopes (openid and profile) to this client.

# Add `technitium` object with link to Technitium homepage
kanidm system oauth2 create technitium "Technitium" https://dns.testdomain.net:53443

# Add callback path
kanidm system oauth2 add-redirect-url technitium https://dns.testdomain.net:53443/sso/callback

# Prefers short usernames (optional)
kanidm system oauth2 prefer-short-username technitium

# Allow the client application to fetch `openid` and `profile` scope,
# only for users in the `technitium_admins` group
kanidm system oauth2 update-scope-map technitium technitium_admins openid profile

Then, define roles as a custom claim for the technitium_admins group, with a value of admin.

kanidm system oauth2 update-claim-map technitium roles technitium_admins admin

This way, Technitium can receive this mapping when it fetches an ID token from Kanidm, to use with its role-mapping policy decisions.

Technitium

First, fetch the basic secret from kanidm:

kanidm system oauth2 show-basic-secret technitium

Then inside Technitium's web UI, go to Settings > Administration > Single Sign On (SSO) and enter the following details:

• Tick the "Enable Single Sign-On (SSO)" checkbox
• Authority (Issuer): https://idm.example.com/oauth2/openid/technitium
• Client ID: technitium
• Client Secret: from the step above.
• Scopes: only openid and profile is needed
• Tick the Allow New User Sign Up and Allow Sign Up Only For Mapped Users checkboxes
• Lastly, for the Group Map (Optional) table, add a Remote group of admin to correspond with a Local Group of Administrators.

Click on "Save Config", your changes should now be applied.

The login screen should now has an OpenID Connect option. Click on it and sign-in with Kanidm, and you'll be redirected back to Technitium. Under the My Profile popup, you should see your account as a "Member of" the "Administrators" group.

Extras

Add another group

If you want to define another group and mapping, create it in Kanidm, add it to the technitium OAuth client, and configure the right claim(s) for it. Also, you can employ multiple claims too, so that a Kanidm group can take up multiple roles inside Technitium.

Here is an example with a technitium_dhcp_dns group in Kanidm:

# Create dhcp admins and add testuser2 to it
kanidm group create technitium_dhcp_dns
kanidm group add-members technitium_dhcp_dns testuser2

# Allow `technitium` OAuth client to fetch correct scopes for the `technitium_dhcp_admins` group
kanidm system oauth2 update-scope-map technitium technitium_dhcp_admins openid profile

# Add custom claim `roles` with values of `dhcp` and `dns` 
kanidm system oauth2 update-claim-map technitium roles technitium_dhcp_admins dhcp dns
# This can be used for mapping against DNS/DHCP Administrators in Technitium

Behavior with clustering

OIDC enablement will be replicated across the cluster, so they will all share the same client ID and secret. To enable logging in from another cluster node, simply add its callback path as a redirect URL:

kanidm system oauth2 add-redirect-url technitium https://secondary-dns.testdomain.net:53443/sso/callback

Conclusion

If you run into any troubles, check logs of both Kanidm and Technitium. For the latter, it is recommended to still maintain an internal admin account to debug these cases.

It would be nice if the role mapping claim field can be customized. So instead of being limited to only roles and groups, it can be an arbitrary field like technitium_groups for less confusion on the IDM side.