pages/posts/how-to-authenticate-kasm-via-authentik/index.html
2024-02-22 21:21:00 +00:00

396 lines
21 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html>
<html lang="en" dir="auto">
<head><meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<meta name="robots" content="index, follow">
<title>How To Authenticate KASM via authentik | Mafyuh&#39;s Blog</title>
<meta name="keywords" content="">
<meta name="description" content="You could do this with OpenID as well but this method is using SAML. This guide assumes you already have running instances of Kasm Workspaces and authentik.
The official authentik docs dont have a Kasm Integration listed at the time. So I thought I would help out anyone who is trying to integrate these services via SAML. authentik&rsquo;s SAML docs can be found here.
Setting up Kasm In the Kasm Workspaces admin, click Access Management - Authentication - SAML and create a new configuration.">
<meta name="author" content="Mafyuh">
<link rel="canonical" href="https://mafyuh.com/posts/how-to-authenticate-kasm-via-authentik/">
<link crossorigin="anonymous" href="/assets/css/stylesheet.b609c58d5c11bb90b1a54e04005d74ad1ddf22165eb79f5533967e57df9c3b50.css" integrity="sha256-tgnFjVwRu5CxpU4EAF10rR3fIhZet59VM5Z&#43;V9&#43;cO1A=" rel="preload stylesheet" as="style">
<link rel="icon" href="https://mafyuh.com/assets/favicon/favicon.ico">
<link rel="icon" type="image/png" sizes="16x16" href="https://mafyuh.com/assets/favicon/favicon-16x16.png">
<link rel="icon" type="image/png" sizes="32x32" href="https://mafyuh.com/assets/favicon/favicon-32x32.png">
<link rel="apple-touch-icon" href="https://mafyuh.com/assets/favicon/apple-touch-icon.png">
<link rel="mask-icon" href="https://mafyuh.com/safari-pinned-tab.svg">
<meta name="theme-color" content="#2e2e33">
<meta name="msapplication-TileColor" content="#2e2e33">
<link rel="alternate" hreflang="en" href="https://mafyuh.com/posts/how-to-authenticate-kasm-via-authentik/">
<noscript>
<style>
#theme-toggle,
.top-link {
display: none;
}
</style>
<style>
@media (prefers-color-scheme: dark) {
:root {
--theme: rgb(29, 30, 32);
--entry: rgb(46, 46, 51);
--primary: rgb(218, 218, 219);
--secondary: rgb(155, 156, 157);
--tertiary: rgb(65, 66, 68);
--content: rgb(196, 196, 197);
--code-block-bg: rgb(46, 46, 51);
--code-bg: rgb(55, 56, 62);
--border: rgb(51, 51, 51);
}
.list {
background: var(--theme);
}
.list:not(.dark)::-webkit-scrollbar-track {
background: 0 0;
}
.list:not(.dark)::-webkit-scrollbar-thumb {
border-color: var(--theme);
}
}
</style>
</noscript><meta property="og:title" content="How To Authenticate KASM via authentik" />
<meta property="og:description" content="You could do this with OpenID as well but this method is using SAML. This guide assumes you already have running instances of Kasm Workspaces and authentik.
The official authentik docs dont have a Kasm Integration listed at the time. So I thought I would help out anyone who is trying to integrate these services via SAML. authentik&rsquo;s SAML docs can be found here.
Setting up Kasm In the Kasm Workspaces admin, click Access Management - Authentication - SAML and create a new configuration." />
<meta property="og:type" content="article" />
<meta property="og:url" content="https://mafyuh.com/posts/how-to-authenticate-kasm-via-authentik/" /><meta property="article:section" content="posts" />
<meta property="article:published_time" content="2023-09-30T16:20:00+00:00" />
<meta property="article:modified_time" content="2023-09-30T16:20:00+00:00" /><meta property="og:site_name" content="Mafyuh&#39;s Blog" />
<meta name="twitter:card" content="summary"/>
<meta name="twitter:title" content="How To Authenticate KASM via authentik"/>
<meta name="twitter:description" content="You could do this with OpenID as well but this method is using SAML. This guide assumes you already have running instances of Kasm Workspaces and authentik.
The official authentik docs dont have a Kasm Integration listed at the time. So I thought I would help out anyone who is trying to integrate these services via SAML. authentik&rsquo;s SAML docs can be found here.
Setting up Kasm In the Kasm Workspaces admin, click Access Management - Authentication - SAML and create a new configuration."/>
<script type="application/ld+json">
{
"@context": "https://schema.org",
"@type": "BreadcrumbList",
"itemListElement": [
{
"@type": "ListItem",
"position": 1 ,
"name": "Posts",
"item": "https://mafyuh.com/posts/"
},
{
"@type": "ListItem",
"position": 2 ,
"name": "How To Authenticate KASM via authentik",
"item": "https://mafyuh.com/posts/how-to-authenticate-kasm-via-authentik/"
}
]
}
</script>
<script type="application/ld+json">
{
"@context": "https://schema.org",
"@type": "BlogPosting",
"headline": "How To Authenticate KASM via authentik",
"name": "How To Authenticate KASM via authentik",
"description": "You could do this with OpenID as well but this method is using SAML. This guide assumes you already have running instances of Kasm Workspaces and authentik.\nThe official authentik docs dont have a Kasm Integration listed at the time. So I thought I would help out anyone who is trying to integrate these services via SAML. authentik\u0026rsquo;s SAML docs can be found here.\nSetting up Kasm In the Kasm Workspaces admin, click Access Management - Authentication - SAML and create a new configuration.",
"keywords": [
],
"articleBody": "You could do this with OpenID as well but this method is using SAML. This guide assumes you already have running instances of Kasm Workspaces and authentik.\nThe official authentik docs dont have a Kasm Integration listed at the time. So I thought I would help out anyone who is trying to integrate these services via SAML. authentiks SAML docs can be found here.\nSetting up Kasm In the Kasm Workspaces admin, click Access Management - Authentication - SAML and create a new configuration. Make sure you enable and make default after testing. You will probably find yourself switching between tabs alot, its best to start creating them both at the same time as you need links from each.\nDisplay Name: authentik Logo URL: https://auth.example.com/static/dist/assets/icons/icon.svg (or custom logo) Host Name: authentik NameID Attribute: emailAddress Entity ID: authentik Single Sign On Service/SAML 2.0 Endpoint: https://auth.example.com/application/saml/kasm/sso/binding/redirect/ X509 Certificate: Skip to authentik setup first, then come back here. In authentik admin, go to your newly created SAML provider, when you click the provider and are brought to its details, you should have the option to Download signing certificate. Download it and paste the files contents here. Setting up authentik In the authentik admin, under Applications, create a new SAML provider. Once you created a provider, create an Application and set its provider to the newly created kasm provider. For simplicity sake, the provider and application name is kasm. (kasms pictured)\nAuthorization flow: implicit ACS URL: https://kasm.example.com/api/acs/?id=e977b6cf72c7424328275db5f48fd15ab (Single Sign-On Service from kasm photo) Issuer: authentik (must be the same as Entity ID chosen in Kasm) Service Binding Provider: Post Audience: https://kasm.example.com/api/metadata/?id=e977b6cf72c7424328275db5f48fd15ab ( Entity ID URL from Kasm photo) Under Advanced, choose a signing certificate, default is authentik. Go back to Kasm x509 Certificate. Make sure you save you changes. You should now be able to test SAML at the bottom of the page, once tested, I recommend opening a incognito tab and loading your KASM website.\nYou should now be able to authenticate yourself using SAML via authentik. I recommend going back to your admin session and adding your newly created user to the admin group. Also if it should only be you accessing this via authentik, I would change the kasm Application in authentik and bind it to your user.\nThank you to u/agent-squirrel and this subreddit post on helping me with the NameID Attribute part!\n",
"wordCount" : "393",
"inLanguage": "en",
"datePublished": "2023-09-30T16:20:00Z",
"dateModified": "2023-09-30T16:20:00Z",
"author":{
"@type": "Person",
"name": "Mafyuh"
},
"mainEntityOfPage": {
"@type": "WebPage",
"@id": "https://mafyuh.com/posts/how-to-authenticate-kasm-via-authentik/"
},
"publisher": {
"@type": "Organization",
"name": "Mafyuh's Blog",
"logo": {
"@type": "ImageObject",
"url": "https://mafyuh.com/assets/favicon/favicon.ico"
}
}
}
</script>
</head>
<body class="" id="top">
<script>
if (localStorage.getItem("pref-theme") === "dark") {
document.body.classList.add('dark');
} else if (localStorage.getItem("pref-theme") === "light") {
document.body.classList.remove('dark')
} else if (window.matchMedia('(prefers-color-scheme: dark)').matches) {
document.body.classList.add('dark');
}
</script>
<header class="header">
<nav class="nav">
<div class="logo">
<a href="https://mafyuh.com/" accesskey="h" title="Mafyuh&#39;s Blog (Alt + H)">
<img src="https://mafyuh.com/assets/favicon/favicon.svg" alt="" aria-label="logo"
height="35">Mafyuh&#39;s Blog</a>
<div class="logo-switches">
<button id="theme-toggle" accesskey="t" title="(Alt + T)">
<svg id="moon" xmlns="http://www.w3.org/2000/svg" width="24" height="18" viewBox="0 0 24 24"
fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round"
stroke-linejoin="round">
<path d="M21 12.79A9 9 0 1 1 11.21 3 7 7 0 0 0 21 12.79z"></path>
</svg>
<svg id="sun" xmlns="http://www.w3.org/2000/svg" width="24" height="18" viewBox="0 0 24 24"
fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round"
stroke-linejoin="round">
<circle cx="12" cy="12" r="5"></circle>
<line x1="12" y1="1" x2="12" y2="3"></line>
<line x1="12" y1="21" x2="12" y2="23"></line>
<line x1="4.22" y1="4.22" x2="5.64" y2="5.64"></line>
<line x1="18.36" y1="18.36" x2="19.78" y2="19.78"></line>
<line x1="1" y1="12" x2="3" y2="12"></line>
<line x1="21" y1="12" x2="23" y2="12"></line>
<line x1="4.22" y1="19.78" x2="5.64" y2="18.36"></line>
<line x1="18.36" y1="5.64" x2="19.78" y2="4.22"></line>
</svg>
</button>
<ul class="lang-switch"><li>|</li>
</ul>
</div>
</div>
<ul id="menu">
<li>
<a href="https://mafyuh.com/guides/" title="Guides">
<span>Guides</span>
</a>
</li>
<li>
<a href="https://mafyuh.com/archives/" title="Archives">
<span>Archives</span>
</a>
</li>
<li>
<a href="https://mafyuh.com/search" title="Search (Alt &#43; /)" accesskey=/>
<span>Search</span>
</a>
</li>
</ul>
</nav>
</header>
<main class="main">
<article class="post-single">
<header class="post-header">
<div class="breadcrumbs"><a href="https://mafyuh.com/">Home</a>&nbsp;»&nbsp;<a href="https://mafyuh.com/posts/">Posts</a></div>
<h1 class="post-title entry-hint-parent">
How To Authenticate KASM via authentik
</h1>
<div class="post-meta"><span title='2023-09-30 16:20:00 +0000 UTC'>September 30, 2023</span>&nbsp;·&nbsp;2 min&nbsp;·&nbsp;393 words&nbsp;·&nbsp;Mafyuh
</div>
</header> <div class="toc">
<details >
<summary accesskey="c" title="(Alt + C)">
<span class="details">Table of Contents</span>
</summary>
<div class="inner"><nav id="TableOfContents">
<ul>
<li><a href="#setting-up-kasm">Setting up Kasm</a></li>
<li><a href="#setting-up-authentik">Setting up authentik</a></li>
</ul>
</nav>
</div>
</details>
</div>
<div class="post-content"><p>You could do this with OpenID as well but this method is using SAML. This guide assumes you already have running instances of Kasm Workspaces and authentik.</p>
<p>The official authentik docs dont have a Kasm Integration listed at the time. So I thought I would help out anyone who is trying to integrate these services via SAML. authentik&rsquo;s SAML docs can be found <a href="https://goauthentik.io/integrations/sources/saml/">here</a>.</p>
<h2 id="setting-up-kasm">Setting up Kasm<a hidden class="anchor" aria-hidden="true" href="#setting-up-kasm">#</a></h2>
<p>In the Kasm Workspaces admin, click Access Management - Authentication - SAML and create a new configuration. Make sure you enable and make default after testing. You will probably find yourself switching between tabs alot, its best to start creating them both at the same time as you need links from each.</p>
<p><img loading="lazy" src="/assets/img/kasm-saml.png" alt="KASM SAML Config" />
</p>
<ul>
<li>Display Name: authentik</li>
<li>Logo URL: <a href="https://auth.example.com/static/dist/assets/icons/icon.svg">https://auth.example.com/static/dist/assets/icons/icon.svg</a> (or custom logo)</li>
<li>Host Name: authentik</li>
<li>NameID Attribute: emailAddress</li>
<li>Entity ID: authentik</li>
<li>Single Sign On Service/SAML 2.0 Endpoint: <a href="https://auth.example.com/application/saml/kasm/sso/binding/redirect/">https://auth.example.com/application/saml/kasm/sso/binding/redirect/</a></li>
<li>X509 Certificate: Skip to authentik setup first, then come back here. In authentik admin, go to your newly created SAML provider, when you click the provider and are brought to its details, you should have the option to Download signing certificate. Download it and paste the files contents here.</li>
</ul>
<p><img loading="lazy" src="/assets/img/kasm-auth.png" alt="authentik Config" />
</p>
<h2 id="setting-up-authentik">Setting up authentik<a hidden class="anchor" aria-hidden="true" href="#setting-up-authentik">#</a></h2>
<p>In the authentik admin, under Applications, create a new SAML provider. Once you created a provider, create an Application and set its provider to the newly created kasm provider. For simplicity sake, the provider and application name is kasm. (kasms pictured)</p>
<p><img loading="lazy" src="/assets/img/kasm-auth2.png" alt="authentik Config" />
</p>
<ul>
<li>Authorization flow: implicit</li>
<li>ACS URL: <a href="https://kasm.example.com/api/acs/?id=e977b6cf72c7424328275db5f48fd15ab">https://kasm.example.com/api/acs/?id=e977b6cf72c7424328275db5f48fd15ab</a> (Single Sign-On Service from kasm photo)</li>
<li>Issuer: authentik (must be the same as Entity ID chosen in Kasm)</li>
<li>Service Binding Provider: Post</li>
<li>Audience: <a href="https://kasm.example.com/api/metadata/?id=e977b6cf72c7424328275db5f48fd15ab">https://kasm.example.com/api/metadata/?id=e977b6cf72c7424328275db5f48fd15ab</a> ( Entity ID URL from Kasm photo)</li>
<li>Under Advanced, choose a signing certificate, default is authentik.</li>
<li>Go back to Kasm x509 Certificate.</li>
</ul>
<p>Make sure you save you changes. You should now be able to test SAML at the bottom of the page, once tested, I recommend opening a incognito tab and loading your KASM website.</p>
<p><img loading="lazy" src="/assets/img/kasm-auth3.png" alt="authentik Config" />
</p>
<p>You should now be able to authenticate yourself using SAML via authentik. I recommend going back to your admin session and adding your newly created user to the admin group. Also if it should only be you accessing this via authentik, I would change the kasm Application in authentik and bind it to your user.</p>
<p>Thank you to u/<a href="https://www.reddit.com/user/agent-squirrel/">agent-squirrel</a> and this <a href="https://www.reddit.com/r/selfhosted/comments/vc30l7/kasm_authentik/">subreddit</a> post on helping me with the NameID Attribute part!</p>
</div>
<footer class="post-footer">
<ul class="post-tags">
</ul>
<nav class="paginav">
<a class="prev" href="https://mafyuh.com/posts/how-to-authenticate-zammad-via-saml-with-nginx-proxy-manager/">
<span class="title">« Prev</span>
<br>
<span>How to authenticate Zammad via SAML with Nginx Proxy Manager</span>
</a>
<a class="next" href="https://mafyuh.com/posts/software/">
<span class="title">Next »</span>
<br>
<span>Software</span>
</a>
</nav>
</footer>
</article>
</main>
<footer class="footer">
<span>&copy; 2024 <a href="https://mafyuh.com/">Mafyuh&#39;s Blog</a></span>
<span>
Powered by
<a href="https://gohugo.io/" rel="noopener noreferrer" target="_blank">Hugo</a> &
<a href="https://github.com/adityatelange/hugo-PaperMod/" rel="noopener" target="_blank">PaperMod</a>
</span>
</footer>
<a href="#top" aria-label="go to top" title="Go to Top (Alt + G)" class="top-link" id="top-link" accesskey="g">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 12 6" fill="currentColor">
<path d="M12 6H0l6-6z" />
</svg>
</a>
<script>
let menu = document.getElementById('menu')
if (menu) {
menu.scrollLeft = localStorage.getItem("menu-scroll-position");
menu.onscroll = function () {
localStorage.setItem("menu-scroll-position", menu.scrollLeft);
}
}
document.querySelectorAll('a[href^="#"]').forEach(anchor => {
anchor.addEventListener("click", function (e) {
e.preventDefault();
var id = this.getAttribute("href").substr(1);
if (!window.matchMedia('(prefers-reduced-motion: reduce)').matches) {
document.querySelector(`[id='${decodeURIComponent(id)}']`).scrollIntoView({
behavior: "smooth"
});
} else {
document.querySelector(`[id='${decodeURIComponent(id)}']`).scrollIntoView();
}
if (id === "top") {
history.replaceState(null, null, " ");
} else {
history.pushState(null, null, `#${id}`);
}
});
});
</script>
<script>
var mybutton = document.getElementById("top-link");
window.onscroll = function () {
if (document.body.scrollTop > 800 || document.documentElement.scrollTop > 800) {
mybutton.style.visibility = "visible";
mybutton.style.opacity = "1";
} else {
mybutton.style.visibility = "hidden";
mybutton.style.opacity = "0";
}
};
</script>
<script>
document.getElementById("theme-toggle").addEventListener("click", () => {
if (document.body.className.includes("dark")) {
document.body.classList.remove('dark');
localStorage.setItem("pref-theme", 'light');
} else {
document.body.classList.add('dark');
localStorage.setItem("pref-theme", 'dark');
}
})
</script>
<script>
document.querySelectorAll('pre > code').forEach((codeblock) => {
const container = codeblock.parentNode.parentNode;
const copybutton = document.createElement('button');
copybutton.classList.add('copy-code');
copybutton.innerHTML = 'copy';
function copyingDone() {
copybutton.innerHTML = 'copied!';
setTimeout(() => {
copybutton.innerHTML = 'copy';
}, 2000);
}
copybutton.addEventListener('click', (cb) => {
if ('clipboard' in navigator) {
navigator.clipboard.writeText(codeblock.textContent);
copyingDone();
return;
}
const range = document.createRange();
range.selectNodeContents(codeblock);
const selection = window.getSelection();
selection.removeAllRanges();
selection.addRange(range);
try {
document.execCommand('copy');
copyingDone();
} catch (e) { };
selection.removeRange(range);
});
if (container.classList.contains("highlight")) {
container.appendChild(copybutton);
} else if (container.parentNode.firstChild == container) {
} else if (codeblock.parentNode.parentNode.parentNode.parentNode.parentNode.nodeName == "TABLE") {
codeblock.parentNode.parentNode.parentNode.parentNode.parentNode.appendChild(copybutton);
} else {
codeblock.parentNode.appendChild(copybutton);
}
});
</script>
</body>
</html>