SSO for JSM Customers using Keycloak as OAuth Provider

Follow the following steps to configure Keycloak as IdP to achieve Keycloak SSO

 Pre-requisites : Download And Installation

• First of all, Download Keycloak and install it.
• Start the keycloak server based on your keycloak version. (See table below)

 Configure Keycloak as IdP

• Navigate to the plugin configuration page, click the "Add New Provider" button (located either in the middle or top-right corner), select Keycloak as the application, and copy the callback URL from the plugin and keep it handy, as you'll need it to configure Keycloak as the OAuth provider.

• Add Realm : Now login to keycloak administration console and navigate to your desired realm. You can add new realm by selecting Add Realm option.


• Create realm: Enter Realm Name and keep the realm name handy as it will required later to configure the Realm under the plugin. Click on CREATE to add realm.


• Create OpenID client: Click on the Clients and choose create to create a new client. Enter client id and select client protocol openeid-connect and select Save.


• Change Access type: After client is created change its access type to confidential.


• Enter Valid Redirect URIs: Copy callback URL from plugin and then click on SAVE. Ex -- https:///oauth/callback


• Get Client Secret: Now we need to get client secret. So select Clients and select credentials and copy your secret from here.


• Plugin Configuration: Enter copied Client Secret under Client secret field in the OAuth Client plugin, and enter the Client Name under the Client ID field.
• Add User: We need to add users to realm who will be able to access the resources of realm. Click on the Users and choose to Add a new User.


• User Configuration: After user is created following action needs to be performed on it.
1) Setting a password for it so click on Credentials and set a new Password for the user.




NOTE : Disabling Temporary will make user password permanent.

• Map User: We need to map user to a role. Click on Role Mappings and assign the user desired role from available roles and clicking on add selected.


• Create ROLE: The Role will be used by your applications to define which users will be authorized to access the application. Click on the Roles and choose Add Role.



Step 1.1: Steps to fetch Keycloak Groups [Premium]

• Create groups: Click on the Groups and choose New to create a new group.


• Assign user to group: Select the user whom you want to add in group. Choose Groups option from tab and then select the group-name and click on join.


• Keycloak Group Mapper: Now to get group details we need to perform its client mapping with group membership else group details will not be fetched. So in Client section, select your client and then click on mapper->create.



• Now, select mapper type as Group Membership and enter the name and token claim name i.e the attribute name corresponding to which groups will be fetched. Turn Off the full group path, Add to ID token and Add to access token options, and click on Save.



Note: -- If full path is on group path will be fetched else group name will be fetched.

Step 1.2: Steps to fetch Keycloak Roles [Premium]

• Keycloak Role Mapper: Now to get role details we need to perform its client mapping with role membership else role details will not be fetched. So in Client section, select your client and then click on mapper->create.



• Now, select mapper type as user realm Role Membership and enter the name. and token claim name i.e the attribute name corresponding to which groups will be fetched. Add to ID token and Add to access token options, and click on Save.


• Navigate to the plugin configuration page, click the "Add New Provider" button (located either in the middle or top-right corner), select Keycloak as the application, and copy the callback URL from the plugin and keep it handy, as you'll need it to configure Keycloak as the OAuth provider.

• Add Realm : Now login to keycloak administration console and navigate to your desired realm. You can add new realm by selecting Create Realm option.


• Create realm: Enter Realm Name and keep the realm name handy as it will required later to configure the Realm under the OAuth Client plugin. Click on CREATE to add realm.


• Create OpenID client: Click on the Clients and choose Create Client to create a new client. Enter Client id and select client protocol openeid-connect and Click Next.



• Enable the Client Authentication and Authorization toggle.


• Scroll down to the Access settings and enter your Callback/Redirect URL which you will get from your plugin present on your Client side under the CallBack URLs text-field.


• Go to the Credentials tab, copy the Client Secret and keep it handy as we will require it later while configuring plugin.


• Plugin Configuration: Enter copied Client Secret under Client secret field in the OAuth Client plugin, and enter the Client ID under the Client ID field.
• After Plugin Configurations, go to Client Scopes to configure the Group Mapper and create a client scope.

• Enter Name:- “Group” and Save.

• After saving, click on “Mappers” and configure a new Mapper.

• Select “Group Membership”

• Enter the Name, Token claim name and disable “Full group path” and Save.

• Then go to “Clients” and select your Client ID.

• Go to Client scopes and Add client scope.

• Select the client scope and Add (default).

• Add User: We need to add users to realm who will be able to access the resources of realm. Click on the Users and Click on Create new user to Add a new User.


• User Configuration: After user is created following action needs to be performed on it.
1) Setting a password for it so click on Credentials and set a new Password for the user.




NOTE : Disabling Temporary will make user password permanent.

• Map User: We need to map user to a role. Click on Role Mappings and assign the user desired role from available roles.

x
• Create ROLE: The Role will be used by your applications to define which users will be authorized to access the application. Click on the Roles and choose Create Role.


• Navigate to the plugin configuration page, click the "Add New Provider" button (located either in the middle or top-right corner), select Keycloak as the application, and copy the callback URL from the plugin and keep it handy, as you'll need it to configure Keycloak as the OAuth provider.

• Add Realm : Now login to keycloak administration console and navigate to your desired realm. You can add new realm by selecting Create Realm option.


• Create realm: Enter Realm Name and keep the realm name handy as it will required later to configure the Realm under the OAuth Client plugin. Click on CREATE to add realm.


• Create OpenID client: Click on the Clients and choose Create Client to create a new client. Enter Client id and select client protocol openeid-connect and Click Next.



• Enable the Client Authentication and Authorization toggle.


• Scroll down to the Access settings and enter your Callback/Redirect URL which you will get from your plugin present on your Client side under the CallBack URLs text-field.


• Go to the plugin and copy the Client Secret and keep it handy as we will require it later while configuring plugin.


• Plugin Configuration: Enter copied Client Secret under Client secret field in the plugin, and enter the Client ID under the Client ID field.
• After Plugin Configurations, go to Client Scopes to configure the Group Mapper and create a client scope.

• Enter Name:- “Group” and Save.

• After saving, click on “Mappers” and configure a new Mapper.

• Select “Group Membership”

• Enter the Name, Token claim name and disable “Full group path” and Save.

• Then go to “Clients” and select your Client ID.

• Go to Client scopes and Add client scope.

• Select the client scope and Add (default).

• Add User: We need to add users to r+ealm who will be able to access the resources of realm. Click on the Users and Click on Create new user to Add a new User.


• User Configuration: After user is created following action needs to be performed on it.
1) Setting a password for it so click on Credentials and set a new Password for the user.




NOTE : Disabling Temporary will make user password permanent.

• Map User: We need to map user to a role. Click on Role Mappings and assign the user desired role from available roles.