Keycloak Server Configuration

As a prerequisite, you must have a Keycloak server that is up and running on your machine. There should be a trusted SSL certificate connected to the public interface on keycloak server. For more information, refer to Server Installation and Configuration Guide.

Perform the following steps to setup the keycloak server:

• Create a New Realm
• Set User Federation (Optional)
• Add Groups (Optional)
• Create openid-connect Client
• Create a Scope
• Create Mappers for the Scope
• Assign Scope to the Client

Create a New Realm

Perform the following steps:

1. Login to Keycloak admin console, click Add realm from drop-down menu in left pane.

   

2. Enter a name in the Name field, and click Create.

   

3. In the left pane, select this realm, and click Realm Settings.

   

4. Click Endpoints > OpenID Endpoint Configuration.

   

   It displays a new window with metadata related to this realm as shown below:

   

   Make sure to use a trusted SSL certificate other than localhost, as the SafeNet IDPrime Virtual Client connects only to trusted endpoints.

Set User Federation (Optional)

Perform the following steps:

For this integration, use Active Directory(AD) as the data store but you can use any other applicable data store.

Add a new a data store for this realm so that the Keycloak server knows which all users can be authenticated and where it will look for their authentication.

1. In the left pane, select this realm, and click User Federation.

   The User Federation ID is displayed in the right pane.

2. Click Add provider > LDAP.

   This displays the LDAP data store settings page.

3. Provide the following details:

   • Edit mode: Select any of the following mode:

     • Select Read_Only: If the users attributes are not required to be synced back to the LDAP store.

     • Select Writable: If the users attributes can be written back to LDAP store.

     • Select UnSynced: If the users data is only imported and not synced back to LDAP.

   • Import Users: Enabled.

   • Sync Registrations: Enabled.

   • Vendor: Whether using AD or any other LDAP store.

   • Connection Url: Provide the LDAP connection url to the data store.

   • Bind DN: Username of the service account used to sync registrations from AD Store.

   • Bind Credentials: Password of the service account used to sync registrations from AD store.

   

   

   When selecting Active Directory, in the Vendor field, some fields on the Settings page get auto-filled:

   

   For additional configuration such as TLS authentication, connection pooling, Kerberos or sync settings:

   

4. Once done, click Synchronize all users. This will add users to Keycloak Database under Users for this realm:

   1. In the left pane, under Manage section, select Users.

   2. In the right pane, click View all users to see all synced users in Keycloak database.

   

5. Sync group information from AD (optional)
   

   1. Click Mappers and then click Create. .
   2. Select the Mapper Type as group-ldap-mapper. .
   3. Enter the value for LDAP Groups DN parameter.
   4. Modify rest of the parameters as per the requirement, or keep the default setting. Click Save.

Add Groups (Optional)

If group information is being synced from AD, then below steps are not required.

Create two new groups for identifying users and administrators.

1. Select the realm > User Groups > Click New.

   

2. Enter a name in the Name field, and click Save.

   • For admin, enter IDPrimeVirtualAdmin:

     

   • For normal users, enter IDPrimeVirtualUser:

     

     Similarly, create a group for IDPrimeVirtualProvisioningAdmin and OfflineTokenEnableGroup if required.

3. Assign users to the respective groups.

   1. In the left pane, under Manage section, select Users.

   2. In the right pane, select the user.

      

   3. Assign the required group to the user.

      

Create openid-connect Client

1. In the left pane, select the realm, and select Clients.

2. In the right pane, click Create to add a new client.

   

   1. Enter the value for client ID that is used in idpv server configuration.

   2. In the Client Protocol field, select openid-connect, and click Save.

      

      This displays the client settings page:

      

   3. Enter the following details:

      • Name: Enter a name, if required.
      • Enabled: Set to ON
      • Login Theme: Select keycloak from the drop-down.
      • Access Type: Select confidential from the drop-down.
      • Standard Flow Enabled: Set to ON
      • Valid Redirect URI: Enter the valid URL.
        URL structure: https://<server-host>/*
        For example: https://www.idpvserver.com/
        Note: This URL is updated as per IDPV server host name.

      If additional configuration such as Access token lifetime, signing algorithms etc are desired, following settings can be explored:

      

Create a Scope

Create a scope to send the required claims in Access Token:

1. In the left pane, select the realm > Client Scopes.

2. In the right pane, click Create.

   

   1. Enter idpvscope in the Name field.

   2. In the Protocol field, select openid-connect, and click Save.

      

Create Mappers for the Scope

1. Select the required client scope, and click Mappers > Create.

   

2. Enter the details as shown below, and click Save.

   • For Mapper Type: User Property

     

   • For Mapper Type: Group Membership

     

   Option Full Group Path adds '\' in the resulting group claims in Access and ID token. Accordingly, update the idp-configuration.json file.

   The claim name and values depend on the IDPV server configuration. When creating the smart cards for the users, the IDPV Server verifies the claim and their values according to the idp-configuration.json provided at the time of tenant creation.

Assign Scope to the Client

Perform the following steps:

1. In the left pane, select the realm > Clients.

2. In the right pane, select the client, and select the scope created in Create a scope in the Default Client Scopes field.

3. Click Add selected.

   The selected client scopes are displayed in the Assigned Default Client Scopes field.