Keycloak | OIDC

Owned by Mari Fuglem
Last updated: Sept 05, 2024 by Skule Johansen
3 min read

1. Display name

Choose a name for your identity provider. This is the user-facing name, so choose a name your users will recognize. This value can be changed later.

 

2. Redirect Mode

Select how the user will be redirected to the identity provider. Available options are: Automatic, instant and No redirect. You may configure more redirect modes after completing the setup.

 

3. Prepare IDP

Copy the Callback URL. You will need this when configuring Keycloak.

 

Configure Keycloak

external

If you are using SCIM with your provider, make sure to check out the documentation for configuring this before proceeding. It might be that you need to configure this first or at the same time as setting up OIDC.

Sign in to the Keycloak admin console.

Select the correct realm (we are using master)

Click Create client button.

Select OpenID Connect as the Client Protocol.

In Client ID field, give the client a unique id and a name.

Click Next-button..

Select Client Authentication so it is On.

Leave default authentication flow as in picture below.

Click Next button

Insert the base url to your Atlassian application in the Root URL field (in the example below, we have a Jira instance available at jira-test.example.com. (Lets you use relative paths in redirect URIs).

In the Valid redirect URIs field type the callback URL from the Kantega SSO wizard.

If you are supporting several sites using this IdP you can add redirect URIs here.

 

Save changes.

Now you must set the client Credential. Open the client and select Credentials i the top tab. Copy this secret and use in in Kantega SSO Wizard

Client scopes (“Old” Mappers) - Managed Groups or Auto create groups

If you intend to use Managed groups (manage your users' group membership in Keycloak) or Auto create groups, you also need a mapper for group claims. If not, you can skip this step.

Select your new client and choose the Client Scopes tab in top. Then click on the upmost “Assigned client scope”, typically in our example jira-test-dedicated.

 

Choose to Configure new mapper for and select in correct field in the attribute in the list.

  • Set Name to Group 

  • Set Mapper Type to Group Membership

  • Set Token claim Name to Groups

  • Set Full group path to OFF

 

Go back to the Kantega SSO setup wizard, step 3 Metadata.

Have a copy client id from the settings tab and client secret from the Credentials tab.

4. Metadata

Complete the discovery URL by inserting the Keycloak host url and realm name.

For Keycloak 18.0.0 and higher the /auth part should not be used. Example for 18.0.0+ Discovery URL:

https://keycloak.example.com/realms/master/.well-known/openid-configuration

5. Scopes

These are the scopes we were able to fetch from the metadata. You can add scope values from a list, start typing to add your own or unselect them. A minimum of one scope value is required.

6. Credentials

In this step, we will insert client credentials from Keycloak. The client ID is found in the Setting tab, while the secret is found in the Credentials tab in Keycloak.

Paste these values into the respective fields.

7. Summary

Confirm that everything looks good and submit your setup

 

Test

Test that login with Keycloak works as expected. This will help identify if there are any issues with the configuration. Follow the steps to perform the login test.