Extension SSO

Title	SSO
Name	ckanext-sso
Type	Public extension
Description	OpenID Connect plugin for CKAN providing Keycloak-based Single Sign-On authentication used by the B.C. Data Catalogue.
CKAN versions	~2.7,~2.8,~2.9 Show details These CKAN Versions are exactely matched: 2.10.0 2.10.1 2.10.2 2.10.3 2.10.4 2.10.5 2.10.6 2.10.7 2.10.8 2.10.9 2.11.0 2.11.1 2.11.2 2.11.3 2.11.4 2.12.0 2.7.0 2.7.1 2.7.10 2.7.11 2.7.12 2.7.2 2.7.3 2.7.4 2.7.5 2.7.6 2.7.7 2.7.8 2.7.9 2.8.0 2.8.1 2.8.10 2.8.11 2.8.12 2.8.2 2.8.3 2.8.4 2.8.5 2.8.6 2.8.7 2.8.8 2.8.9 2.9.0 2.9.0a 2.9.1 2.9.10 2.9.11 2.9.13 2.9.2 2.9.3 2.9.4 2.9.5 2.9.6 2.9.7 2.9.8 2.9.9
Download-Url (zip)	https://github.com/bcgov/ckanext-sso.git#egg=ckanext-sso
Last commit	9 months ago (2025-06-03 17:57:22)
Url to repo	https://github.com/bcgov/ckanext-sso
Category	Authentication & Security

Description (long)	Show details ckanext-sso OpenID Connect plugin for CKAN used by the B.C. Data Catalogue. Currently only supports Keycloak. Features Keycloak-based Single Sign-On (SSO) authentication Bearer token support for CKAN REST API access Auto-creation of CKAN users for corresponding Keycloak users Original CKAN auth works alongside SSO Users are added to organizations based on Keycloak group memberships Sysadmin group assignment via Keycloak groups Requirements CKAN 2.7+ Keycloak identity provider Installation To install ckanext-sso: Activate your CKAN virtual environment. Clone the source and install it: `git clone https://github.com/bcgov/ckanext-sso.git cd ckanext-sso pip install -e .` Add `sso` to the `ckan.plugins` setting in your CKAN config file. Configure the Keycloak settings in your CKAN config. Config settings ckan.sso.authorization_endpoint = <keycloak auth endpoint> ckan.sso.realm = <keycloak realm> ckan.sso.client_id = <client id> ckan.sso.client_secret = <client secret> ckan.sso.sysadmin_group_name = <group name for sysadmins> ckan.sso.profile_group_field = <field for group membership> ckan.sso.profile_username_field = <field for username> ckan.sso.profile_email_field = <field for email> ckan.sso.profile_fullname_field = <field for display name> ckan.sso.profile_group_delim = <delimiter for groups> License AGPL-3.0
Version	0.1
Version release date	(not set)
Contact name	B.C. Government
Contakt email	(not set)
Contact Url	(not set)

Configuration hints	Requires Keycloak identity provider. Configure authorization endpoint, realm, client ID and secret.
Plugins to configure (ckan.ini)	sso
CKAN Settings (ckan.ini)	`# ckan.sso.authorization_endpoint = https://keycloak.example.com/auth # ckan.sso.realm = ckan # ckan.sso.client_id = ckan-client # ckan.sso.client_secret = your-secret # ckan.sso.sysadmin_group_name = sysadmins # ckan.sso.profile_group_field = groups # ckan.sso.profile_username_field = preferred_username # ckan.sso.profile_email_field = email # ckan.sso.profile_fullname_field = name # ckan.sso.profile_group_delim = ,`
DB migration to be executed	(not set)

ckanext-sso