Keycloak (API Connector)

Owned by Joachim Maksim
Last updated: Jan 10, 2024 by Mari Fuglem
4 min read

Start setup in Kantega SSO Enterprise

To add a Keycloak API Connector, navigate to KSSO and click Cloud provisioning. Select Keycloak in the “API Connectors” section of the dropdown.

image-20240110-111836.png

 

The below form should appear:

As shown in the screenshot, you will need some items (which we will grab and make notes of during the setup).

Go to Keycloak to get the setup needed!

Configure Keycloak

EXTERNAL

Configure realm in Keycloak

Log into the Keycloak console. Select the Keycloak realm you wish to connect to, or if necessary, create a new realm.

If you have multiple realms, you can select a realm using the dropdown in the upper left corner of the Keycloak console. In the image below, the realm is set to “Master”.

Navigate to the Realm settings page (found in the menu on the left-hand side). Copy the name (not the display name) of the realm and paste it into the Realm field on the KSSO Keycloak API Connector setup page.

Realm name is case sensitive!

Configure client in Keycloak

Go to Clients in the menu. In the list of clients, find the client you wish to utilize to fetch user data, or create a new client by clicking the Create button to the right of the search bar.

  • Enter a unique Client ID

  • Select openid-connect as the Client Protocol

  • Save the client.

In Settings

  • Set Access Type to confidential

  • Redirect URIs is mandatory. Set Redirect URI to /*

  • Save to update the client. Setting Access Type to confidential should have caused the Credentials tab to appear on the edit page.

Navigate to the Credentials tab, and ensure that Client Authenticator is set to “Client Id and Secret”. Copy the secret and paste it into the Client secret field on the KSSO Keycloak API Connector setup page.

Navigate to the Settings tab. Copy the Client ID and paste it into the Client ID field on the KSSO Keycloak API Connector setup page.

Client ID is case sensitive!

Configure user in Keycloak

Retrieving user credentials

Navigate to the Users page (found in the menu on the left-hand side). Click on a specific user ID, or click the Add user button to add a new user. When adding a user, the username must be unique. After creating the user, find it in the list of users and click on its ID to see user details.

Ensure that the user is enabled. Copy the username and paste it into the Username field on the Keycloak API Connector setup page.

Navigate to the Credentials tab and set a password. When resetting the password, ensure that Temporary is set to Off. Enter the password into the Password field on the Keycloak API Connector setup page.

Username and password are case sensitive!

Configuring user permissions

Appropriate user permissions must be configured to use the Keycloak API. Open the Role Mappings tab. In the Client Roles dropdown-menu, choose realm-management. Ensure that the user has the following roles listed in the Effective Roles list:

  • query-groups

  • query-users

  • view-users

All of the required roles will be effective if the view-users role is assigned.

Configure URI Scheme in Keycloak

The URI scheme consists of the host (including or excluding port), and the base path. For example:

http://localhost:8080/auth/

http://keycloak.example.com/auth/

Enter the URI into the Keycloak URI scheme field on the KSSO Keycloak API Connector setup page.

Complete the setup in Kantega SSO Enterprise

Check that everything looks good in KSSO Keycloak API Connector setup page and submit your setup

Add user directory

A user directory must be created to hold users and groups from Keycloak. Verify the configuration before adding the user directory. Check “Use nested groups” if you use nested groups in Keycloak.