 Well, good morning all. Thank you for being here. Well, today I am going to talk about the Forman single sign on and how key clock help us to make it more simple. Just few words about me, I work as a quality engineer for satellite 6 at Red Hat. And this is the agenda for today. We will have a short introduction to the Forman. We will see some existing Forman authentication capabilities. We will also look into the single sign on with the key clock and open ID what it is. And finally, we will see the Forman and the key clock integration with a demo. And at last, but not least, it's question answer. So, before moving ahead, let's have quick survey. Forman users in the house. Okay, key clock users in the house. Oh, nice, nice, nice. Okay, so those who are not aware about the Forman. So, Forman is a complete lifecycle management tool. It gives system administrator power to manage your systems. You can automate repetitive tasks. You can quickly deploy your applications. Well, the Forman can provision your systems on the cloud or on the on-premise or it can also provision the bare metal as well. So, once the provisioning is done, you can also configure your systems using uncivil, puppet, shape or size. And moving forward, based on the system facts, you can monitor your systems as well. So, Forman has a plug-in architecture. Choose what you want. If you want uncivil, if you want puppet, whatever it is, just pull it and make it in production. And this gives you the more flexibility on how you want your production environment. So, it has huge ecosystem starting with uncivil, Azure, Google Cloud, VMware, Overt, and many more. You can see the whole list here. But we are not going in detail with this. What we are going to look today is the Forman authentication capabilities. So, as we all know, user management is something repeated process across all the projects. And that is why we also have some native implementations. First is the internal users. As we know some of the database queries and get the user an authentication from there. Next is the allow authentication. This includes the free IP and the ID with two-factor and the OTB-based authentication. And the coverable-based single sign-on is also available with the existing Forman. So, just a quick look at these workflows, how it works. There is a user which goes to the browser, enters the user and password for the application. So, it has internal database. Just look into the internal database if the user exists, go inside. Next thing is the free IP user login. Same window. You can log in your free IP user with the same user. Within the free IP, you can log in from the formal screen. Same as free IP, we have the Active Directory integration as well. It just queries the database that if this user exists and this authentication, go inside. And at last, but not least, if you want to have free IP and the ID in the same environment, then you can have the free IP in the trust with the Active Directory and go to the Forman and user will get logged in. So, but the problem is we can't bind our application to particular identity provider. In this case, it's free IP already, right? You need some application where you can do multiple things. You have some open ID provider. You will be able to go to that open ID provider and your user will get logged in onto this. So, that's why the single sign-on came in the picture. What single sign-on does, it redirects all the things. That means you have your application. It will redirect you to the open ID provider or whatever is your provider is, sorry, identity provider. And it will authenticate your applications. And the main purpose behind this, you can have multiple applications with the single login, with the same set of credentials, users and the passwords. Who can do the best than Key Clock? You have one application which can do multiple things for you. So, what is Key Clock? Key Clock is an open source project for identity and access management. It's basically a single sign-on application. It supports a number of user management use cases, starting with the single sign-on. Then you have standard protocol support such as open ID, SAML, OAuth. It also has the centralized management for your admins and users. It can manage the number of reliance. Also, the user federation with the free IP and ID. That means you have a single application which can manage your users from the whatever the infrastructure at the back end that is free IP, ID or any open ID provider or the SAML. Also, it has the social logins such as GitHub, Facebook, Microsoft or any social login that you want to integrate with. So, what we are going to see today is that how OpenID Connect will make you enable the authentication with your app. So, OpenID Connect is a simple standard protocol for it is based on the OAuth with the specifications and the messages transfers are based on the JSON. It uses simple JSON web tokens. It is the internet standard for the single sign-on. What you need to do is it is just that you need to authenticate your user, right? It sends your user to the OpenID provider, get the identity back that is in the form of token. The token is decrypted and based on the payloads or the claims in the token, your user will get the permissions within your app. So, let us take a look on the token that provides it. So, this is the JSON web token that we get from the app and it is divided into these three parts. The first is the header which contains your algorithm and the which type of token is it. Here it is RS256 is the algorithm and the type is the JWT. Next part is the payload data. This is very important because it has everything starting from your JWT token ID to the expiration and the vein token issued, whom the token is issued from and who sign it. So, here issuer is the ISS field where you can see the audience that means the client. You will see the also number of this fields that you get from the tokens. And the last part is the signature which will verify your token is right or not and coming to the back part of the payload. So, payload decide who are you that means your authentication if you are valid user or not for that particular application. The next is what you can do that is your groups, roles, permissions you can say and you do not need to register that user in your application side. In this case it is 4-man that means based on your token values the user will automatically get created in your application. So, we will take a look on single sign-on in the 4-man how it is implemented and how it works. So, what you need to do you need to just register your 4-man to the KeyClock server just install two packages mod of open IDC and the KeyClock HTTP client. It will get and you need to just register with this command that is KeyClock HTTP client where you need to provide the KeyClock URL. The next is the user which you are going to authenticate with the KeyClock. Then next is the relm which you are going to use and that is it your application that means 4-man will get registered the KeyClock. And the next thing you need to do to add the mappers the first mapper is a group membership mapper which tell you that I have this user group like DevCon attendee and I have this permissions that data will get transferred to your token. At last you need to do some configurations in the 4-man so that 4-man can validate some things on application side. So, I will have short demo here. So, what we are going to do here we are going to just install one this two packages on your 4-man server then we need to register that 4-man server to KeyClock. And once you register this go to your KeyClock server you will see client is added in your KeyClock in your relm here the relm is SSL relm the client go to your client and just you need to add two mappers. So, that the token will return some values from your KeyClock. Here first we are going to add the audience mapper audience in the sense the client you have registered the KeyClock application. And the next mapper you need to add is the group membership mapper make sure here to token claim name should be the groups and the full path should be the disabled. Now go to 4-man server and do some settings where you need to do you need to add the client algorithm that you are using the client and some external values. So, this is authorized login delegation you need to keep it as the external so that it will create external outsourced in your 4-man server. Then the OIDC algorithm where you can find this algorithm from your well-known configurations each of each open ID providers has some URL like well-known and the open ID configurations like this. So, you will get the value of that algorithm here it is RS-256 then you need to find the OIDC audience as I said it is the client. The next is the OIDC issuer copy the URL and add it as well finally OIDC JWKC URL and once you done with all these settings just restart your services and you are done going to restart the basically the HTTP service because the configurations that are created by the KeyClock HTTP client goes to the Apache. Now go to your 4-man server and it will redirect you to the KeyClock. So, just authenticate your KeyClock user and you will see that user gets login into your 4-man application. The values that it will get like first name, last name or the email address it will come from the token that it received from this KeyClock application that is how it works single sign-on in the in case of the 4-man and the KeyClock integration. So, what 4-man does? So, 4-man is responsible for number of things it validates the token if you are getting the particular token if it is valid for that application or not whether it is expired or not or whether it is the client that is expected to cash from or not. So, the next is the authorize your user based on the payloads that means you have the number of roles and the permissions to give to that particular user and based on the external user group it maps your roles and the permission in the 4-man. Well that makes it simple and more secure. As I said your password goes to the identity provider that means your application do not need to maintain users you do not need to maintain the database of them and the in application just use your does not have your password as well so that is the plus token has short expiry that making it more secure and KeyClock has the number of use cases like you can use the smart cards you can use social logins or you can use your any open ID provider or authentication protocols and that makes it less work on the back end and making it risk of security or to reduce. Well this is the resources you can visit the 4-man and if you have something cool to do with the 4-man let us know we also have the IRC hash the 4-man or the hash 4-man div and if you have any question just go to the community.4-man.org we are always there and well that is it any question on? Yeah. Okay that was something okay so the question was in demo I had the Hammer CLI client so that was something different that I already created with the experiment and that completely unrelated to the demo. That was totally unrelated I mean something experimental. If you want that means code grant and password grant for flow you can have both of them. Any more questions? Well that is it thank you.