Integrate SAS PCE as an Authentication Server with an OIDC Service Provider Application

Integrating SAS PCE as an authentication server with an OIDC service provider (SP) application is a three-step process:

• Identity Provider (Keycloak) setup

• OIDC service provider application configuration

• Verify authentication

Identity Provider (Keycloak) Setup

Perform the following steps to configure the IdP (for example, Keycloak):

1. Log into Keycloak as an administrator.

2. On the administrator console, select your realm (for example, SASPCE).

3. In the left pane, under Configure, click Clients, and in the right pane, click Create.

   

4. Under Add Client, perform the following steps:

   1. In the Client ID field, enter a client ID. This ID is an alpha-numeric string that is used to identify the client in OIDC requests.

   2. In the Client Protocol field, select openid-connect.

   3. Click Save. The client is created.

      

   4. On the Settings tab, perform the following steps:

      • In the Name field, enter a name of your choice for the client application. It will be the display name of your client application.

        

      • In the Access Type field, select public or confidential as per your requirement.

      • In the Valid Redirect URI field, enter the redirect URL of the application. Users will be redirected to this URL after successful authorization.
        This field allows for the inclusion of multiple URLs. You need to click + to add an additional URI.
        An asterisk * is supported as a wildcard character at the end of the value of this field to accept redirection to any URL that fits the same base pattern. For example, https://abc.com/*

        

   5. Click Save to complete the configuration.

      

      You can enter or modify the values of rest of the fields as per your service provider application requirement.

OIDC Service Provider Application Configuration

Perform the following steps to configure an OIDC SP application:

1. Obtain the OIDC endpoint configuration from Keycloak by performing the following steps:

   1. On the administrator console, under Configure, click Realm Settings.

      

   2. In the right pane, on the General tab, in the Endpoints field, select OpenID Endpoint Configuration.

      

      You will be redirected to a separate page, which displays the information that will be used to configure the OIDC application

      

   3. Copy the information and paste it in a text editor.

2. Configure IdP in your SP application using the information copied in the previous step.

Verify Authentication

Service Provider Initiated Login

Navigate to the Service Provider URL. You will be redirected to SAS PCE for authentication as per your selected flow.

Enter your login credentials and you should be logged into the application after successful authentication.

For more information on the SafeNet authentication flows, go to SafeNet Authentication Flows provided by SafeNet Keycloak Agent.

Enabling Single Sign-On for Applications

Perform the following steps to enable Single Sign On (SSO) for your applications:

1. On the Keycloak administrator console, in the left pane, under Configure, click Authentication.

2. In the right pane, under Authentication, select a SafeNet flow of your choice (for example, SafeNet OTP Flow), and replicate the configuration as displayed in the below screenshot.

   

3. Now, try to access multiple applications in the same browser, the SSO should work seemlessly.