Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

back

SafeNet Keycloak Agent

User Federation Setup

search

User Federation Setup

Please Note:

User Federation Setup

Once the realm is configured, the next step is to configure the users for the realm.

In the Keycloak realm, you can federate multiple LDAP servers. It allows mapping of LDAP user attributes to the Keycloak common user model. By default, it maps username, email, first name, and last name, but you can configure additional mappings as well.

To configure User Federation setup:

  1. Navigate to the Keycloak UI Admin Console.

  2. Click User Federation setting in the left pane.

  3. The User Federation configuration page is displayed.

  4. User Federation can be configured through LDAP User Federation or SAS User Federation. Choose either of the configuration.

Configure LDAP User Federation

Keycloak comes with a built-in LDAP/AD provider. The LDAP provider also supports password validation through LDAP/AD protocols.

alt_text

System diagram for LDAP User Federation

To configure a federated LDAP:

  1. Navigate to the Keycloak UI Admin Console.

  2. Click User Federation setting in the left pane.

  3. The User Federation configuration page is displayed. Select ldap from the Add Provider drop-down list. The LDAP configuration page opens.

For full LDAP configuration, refer to Keycloak Server Administrator Guide.

The below example shows the sample of settings for User federation configuration with Active directory.

alt_text

If you enable “Import Users” option, the LDAP provider automatically takes care of synchronization of needed LDAP Users. It is important to do the Sync settings. For more details, refer to LDAP integration section.

Sync Settings

alt_text

In Keycloak LDAP federation, the user must exist in Keycloak (through LDAP federation) as well as in SAS.

Custom LDAP Mapper

LDAP Mappers sync additional LDAP user attributes with Keycloak user attributes. Keycloak user attributes can also be utilized for the Authentication flow, to pass them in a different attribute as a User Name or for additional return attributes or mappers for authentication flow.

alt_text

Configure SAS User Federation

Keycloak can retrieve all user information it requires from the SafeNet Keycloak Agent, and therefore indirectly from the SAS PCE.There is no need for the customer to configure sync or federation between Keycloak and the customer directory LDAP. The user can authenticate with their SAS userid but also with any of the aliases configured in SAS.

alt_text

System diagram for SAS User Federation

There are two ways to configure SAS User Federation:

  1. Keycloak Admin Console UI

  2. Realm JSON File (SafeNetOtpRealm.json)

Set up SAS User Federation via Keycloak Admin Console UI

Follow the steps to provide settings from Keycloak Admin Console UI:

  1. Go to User Federation tab and select the sas-user-provider option from the drop down list.

    alt_text

    If any other Federation is already configured, the drop down appears on the right side.

    alt_text

  2. Provide the values for Agent BSID Key, Token Validator URL, SAS API Base URL, Org Code, and SAS API JWT Token and save it. Values for these fields are found using steps provided under section SAS Configuration Settings used in SafeNet Keycloak Agent.

    alt_text

  3. After saving, Provider ID is generated as shown in the below screenshot.

    alt_text

Set up SAS User Federation via Realm JSON file

The agent.bsidkey and sas.api.jwt.token should be copied in a file and the file path be provided in the below settings. Since, values for agent.bsidkey and sas.api.jwt.token are long and not supported in keycloak.

For Windows, while copying the file paths in JSON, comply with JSON syntax by using "\" instead of "\" in the path.

  1. Provide the values for Agent Bsid Key, Token Validator URL, SAS API Base URL, Org Code, SAS API JWT Token and OTP Auto Trigger Enabled in realm JSON File (SafeNetOtpRealm.json). Values for these fields can be found using steps provided under the section SAS Configuration Settings used in SafeNet Keycloak Agent.

    otp.autotrigger.enabled is an optional field. If set to true the challenge automatically generates the enrolled token.

  2. Use the above realm JSON File (SafeNetOtpRealm.json) to create new realm in Keycloak.

  3. Select the above saved file SafeNetOtpRealm.json.

  4. Provide the appropriate name to the realm and click on Create button. A realm is created.

  5. To enable the SAS User Federation for this realm, go to User Federation tab and select the sas-user-provider option from the drop-down list.

  6. Save it without providing values as we have already provided the same settings in realm JSON file (SafeNetOtpRealm.json).

  7. No need to provide any configuration settings for the Authentication Flows.

    Settings provided on Keycloak Admin UI overrides the settings from realm JSON file (SafeNetOtpRealm.json).

SAS Configuration Settings used in SafeNet Keycloak Agent

Follow below steps to find values for Agent BSID Key, Token Validator URL, SAS API Base URL, Org Code, and SAS API JWT Token:

Agent BSID Key and Token Validator URL can be found by the following steps.

  1. Go to Virtual Server tab > Comms > Authentication Processing > Authentication Agent Settings.

  2. Click on Download button to download the Agent BSID Key.

  3. Copy Token Validator URL as shown below.

SAS API JWT Token can be found by the following steps.

  1. Go to System tab → Setup → Agent Communication with JWT token.

  2. Go to EnableGenerate, copy the generated JWT by clicking Apply.

    Org Code is taken from the Token Validator URL as highlighted below.

    SAS API Base URL can be prepared as given below:
    http(s)://<SAS IP>/SAS

    <SAS IP> could also be hostname of SAS server.