Using Keycloak for Multifactor Authentication for CTE GuardPoints
Integration with Keycloak requires creating an OIDC connection in CipherTrust Manager, after you create an OIDC template in Keycloak.
Prerequisites
-
Have a CipherTrust Manager set up with:
-
CipherTrust Transparent Encryption host and Keycloak server must have their time's synchronized. If they are not time-synced, then Multifactor Authentication login fails with the following error:
Failed to verify ID Token: oidc: token is expired (Token Expiry: 2022-11-08 22:42:20 -0800 PST)
On the Keycloak platform:
-
Create an admin user.
-
Login to the realm and create one or more users.
-
Set a password for the user.
-
Create an OIDC client in realm with the following settings:
-
Valid Redirect URIs: Configure in the format:
http://127.0.0.1:<CTE-OIDC-Login-Port>/auth/callback
-
Default value of CTE-OIDC-Login-Port: 5560, if CTE admin changes this port, they must provide the updated value.
-
Capability Config with Client Authentication and Authorization: On
-
Authentication Flow: Standard Flow
-
-
Note three OIDC parameters:
-
Provider URL format:
-
For non-TLS:
http://<keycloak-ip>:<keycloak-port>/realms/<realm-name>/.well-known/openid-configuration
-
For TLS:
https://<keycloak-ip>:<keycloak-port>/realms/<realm-name>/.well-known/openid-configuration
If KeyCloak is configured for TLS, the KeyCloak certificate (if self-signed), or certificate chain, including the root CA, and any intermediate CAs, must be imported into the CipherTrust Transparent Encryption client machine. Import the self-signed certificate as a root CA. CipherTrust Transparent Encryption will fail to connect to the provider if certificates are not imported. To import a certificate: see Importing Certificates Using MMC
-
-
Client-ID as configured for the OIDC client
-
Client-Secret as shown for the OIDC client
-
Create an OIDC connection on CipherTrust Manager
-
Log on to the CipherTrust Manager GUI as an administrator.
-
In the left pane, click Access Management > Connections.
-
In the Connections, click Add Connection.
-
Click OIDC and then click Next.
-
Provide a name for the connection and click Next.
-
Enter values for the configuration information.
Refer to your Multifactor Authentication provider profile for the values:
-
URL of OIDC provider:
-
For Thales Safenet Trusted Access, select Well Known Configuration URL
-
For other providers, select the URL of the OIDC provider
-
-
Client ID
-
Client Secret
-
-
Click Next and in the Add Products window, select CTE for product.
-
Click Add Connection.