Keycloak | OIDC

1. Display name

Choose a name for your identity provider. This is the user-facing name, so choose a name your users will recognize. This value can be changed later.

 

2. Redirect Mode

Select how the user will be redirected to the identity provider. Available options are: Automatic, instant and No redirect. You may configure more redirect modes after completing the setup.

 

3. Prepare IDP

Copy the Callback URL. You will need this when configuring Keycloak.

 

Configure Keycloak

external

If you are using SCIM with your provider, make sure to check out the documentation for configuring this before proceeding. It might be that you need to configure this first or at the same time as setting up OIDC.

Sign in to the Keycloak admin console.

Select the correct realm (we are using example.com) and then Create client.

In Client ID field, give the client a unique name.

Select openid-connect as the Client Protocol.

Insert the base url to your Atlassian application in the Root URL field (in the example below, we have a Jira instance available at jira-test.example.com.

Save the new client.

Give the client a name (in the example below we call it “My Jira”), and set the Access Type to confidential. You can also paste in the callback url from the Kantega SSO wizard in the “Valid Redirect URIs”, to make the set here more strict.

Save changes.

Mappers (Managed Groups or Auto create groups)

If you intend to use Managed groups (manage your users' group membership in Keycloak) or Auto create groups, you also need a mapper for group claims. If not, you can skip this step.

Create mapper for:

  • Set Name to Group 

  • Set Mapper Type to Group Membership

  • Set Token claim Name to Groups

  • Set Full group path to OFF

 

Go back to the Kantega SSO setup wizard, step 3 Metadata.

 

Copy client id from the settings tab and client secret from the Credentials tab.

Go back to the Kantega SSO setup wizard .

4. Metadata

Complete the discovery URL by inserting the host url and realm name.

5. Scopes

These are the scopes we were able to fetch from the metadata. You can add scope values from a list, start typing to add your own or unselect them. A minimum of one scope value is required.

6. Credentials

In this step, we will insert client credentials from Keycloak. The client ID is found in the Setting tab, while the secret is found in the Credentials tab in Keycloak.

Paste these values into the respective fields.

 

7. Summary

Confirm that everything looks good and submit your setup

 

Test

Test that login with Keycloak works as expected. This will help identify if there are any issues with the configuration. Follow the steps to perform the login test.