User Federation Setup
Once the realm is configured, the next step is to configure the users for the realm.
In the Keycloak realm, you can federate multiple LDAP servers. It allows mapping of LDAP user attributes to the Keycloak common user model. By default, it maps username, email, first name, and last name, but you can configure additional mappings as well.
To configure User Federation setup:
-
Navigate to the Keycloak UI Admin Console.
-
Click User Federation setting in the left pane.
-
The User Federation configuration page is displayed.
-
User Federation can be configured through LDAP User Federation or SAS User Federation. Choose either of the configuration.
Configure LDAP User Federation
Keycloak comes with a built-in LDAP/AD provider. The LDAP provider also supports password validation through LDAP/AD protocols.
System diagram for LDAP User Federation
To configure a federated LDAP:
-
Navigate to the Keycloak UI Admin Console.
-
Click User Federation setting in the left pane.
-
The User Federation configuration page is displayed. Select ldap from the Add Provider drop-down list. The LDAP configuration page opens.
For full LDAP configuration, refer to Keycloak Server Administrator Guide.
The below example shows the sample of settings for User federation configuration with Active Directory.
If you enable “Import Users” option, the LDAP provider automatically takes care of synchronization of needed LDAP Users. It is important to do the Sync settings. For more details, refer to Sync of LDAP users to Keycloak.
Sync Settings
In Keycloak LDAP federation, the user must exist in Keycloak (through LDAP federation) as well as in SAS.
Custom LDAP Mapper
LDAP Mappers sync additional LDAP user attributes with Keycloak user attributes. Keycloak user attributes can also be utilized for the Authentication flow, to pass them in a different attribute as a User Name or for additional return attributes or mappers for authentication flow.
Configure SAS User Federation
Keycloak can retrieve all user information it requires from the SafeNet Keycloak Agent, and therefore indirectly from the SAS PCE. There is no need for the customer to configure sync or federation between Keycloak and the customer directory LDAP. The user can authenticate with their SAS userid but also with any of the aliases configured in SAS.
System diagram for SAS User Federation
There are two ways to configure SAS User Federation:
-
Keycloak Admin Console UI
-
Realm JSON File (SafeNetOtpRealm.json)
Set up SAS User Federation via Keycloak Admin Console UI
Follow the steps to provide settings from Keycloak Admin Console UI:
-
In the left pane, select User Federation tab and click the Add Sas-user-provider option.
If any other Federation is already configured, the drop-down appears on the left side.
-
Enter the required values and click Save. Values for these fields are found using steps provided under SAS Configuration Settings used in SafeNet Keycloak Agent.
Set up SAS User Federation via Realm JSON file
The agent.bsidkey and sas.api.jwt.token should be copied in a file and the file path be provided in the below settings. Since, values for agent.bsidkey and sas.api.jwt.token are long and not supported in keycloak.
For Windows, while copying the file paths in JSON, comply with JSON syntax by using "\" instead of "\" in the path.
-
Provide the values for Agent Bsid Key, Token Validator URL, SAS API Base URL, Org Code, SAS API JWT Token and OTP Auto Trigger Enabled in realm JSON File (SafeNetOtpRealm.json). Values for these fields can be found using steps provided under the section SAS Configuration Settings used in SafeNet Keycloak Agent.
otp.autotrigger.enabled is an optional field. If set to true the challenge automatically generates the enrolled token.
-
Use the above realm JSON File (SafeNetOtpRealm.json) to create new realm in Keycloak.
-
Select the saved file SafeNetOtpRealm.json.
-
Provide an appropriate name to the realm and click the Create button to create a new realm.
-
To enable SAS User Federation for this realm, in the left page, select the User Federation tab and click the sas-user-provider option.
-
Click Save to save the settings that are already provided in realm JSON file (SafeNetOtpRealm.json).
Settings provided on Keycloak Admin UI override the settings from realm JSON file (SafeNetOtpRealm.json).
SAS Configuration Settings used in SafeNet Keycloak Agent
Follow below steps to find values for Agent BSID Key, Token Validator URL, SAS API Base URL, Org Code, and SAS API JWT Token:
Agent BSID Key and Token Validator URL can be found by the following steps. (These settings are already part of the Administrator Guide)
-
Go to Virtual Server tab > Comms > Authentication Processing > Authentication Agent Settings.
-
Click on Download button to download the Agent BSID Key.
-
Copy Token Validator URL as shown below.
SAS API JWT Token can be found by the following steps. (This setting is not part of the Administrator Guide)
-
Go to System tab → Setup → Agent Communication with JWT token.
-
Go to Enable → Generate, copy the generated JWT by clicking Apply.
Org Code is taken from the Token Validator URL as highlighted below.
SAS API Base URL can be prepared as given below:
http(s)://<SAS IP>/SAS
<SAS IP>
could also be hostname of SAS server.