fix(jans-linux-setup): client kc_saml_openid is trusted

[devrimyatar]

closes #8921

• I confirm that there is no impact on the docs due to the code changes in this PR.

[dryrunsecurity]

DryRun Security Summary

The pull request focuses on the configuration of OAuth clients, the installation and configuration of the Jans SAML component, and the handling of sensitive information, with potential security implications related to the "trusted_client" flag, Keycloak setup, and the management of client secrets, user passwords, and database credentials.

Expand for full summary

Summary:

The code changes in this Pull Request are focused on the configuration of OAuth clients and the installation/configuration of the Jans SAML (Security Assertion Markup Language) component. The key security-relevant aspects include the introduction of a "trusted_client" flag for certain clients, the installation and configuration of Keycloak as the identity provider, and the handling of sensitive information such as client secrets, user passwords, and database credentials.

From an application security perspective, the "trusted_client" flag is an important consideration, as it could grant additional privileges or permissions to certain clients. It's crucial to ensure that the criteria for determining a client as "trusted" are well-defined and that the associated privileges are appropriate and do not introduce security vulnerabilities. Additionally, the Keycloak setup, SAML configuration, and handling of sensitive information should be thoroughly reviewed to maintain the overall security posture of the application.

Files Changed:

1. jans-linux-setup/jans_setup/templates/jans-saml/clients.json:

   • Introduces a new "trusted_client" field for each client configuration, which could have security implications if not properly managed.
   • Marks the "saml_scim_client" and "kc_scheduler_api" clients as "trusted_client": "false", and the "kc_saml_openid" client as "trusted_client": "true".
   • The criteria for determining a client as "trusted" should be reviewed to ensure appropriate privileges are granted.

2. jans-linux-setup/jans_setup/setup_app/installers/jans_saml.py:

   • Handles the installation and configuration of the Jans SAML component, including the setup of SAML clients, Keycloak identity provider, and Keycloak scheduler.
   • Manages sensitive information, such as client secrets, user passwords, and database credentials, which should be properly secured.
   • Grants the "jans-api-user" various administrative roles in the Keycloak realm, which could potentially lead to privilege escalation if the user's credentials are compromised.
   • The SAML configuration, including trust relationships, encryption, and signing settings, should be reviewed for security.

Code Analysis

We ran 9 analyzers against 2 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer	Findings
Authn/Authz Analyzer	1 finding

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

[sonarqubecloud]

Quality Gate passed for 'jans-linux-setup'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud