Products Community GitHub Share Feedback

IAM / KeyCloak integration

PreviousSign-in with Algorand (SIWA)NextOpen Source | Always Free

Last updated 1 month ago

Was this helpful?

IAM / KeyCloak integration

Since the IDP Kit is compliant with the well adopted OpenID Connect standard for identity provision, it can be easily integrated, as a federated identity provider, with third party Identity and Access Management systems (IAM), such as .

In this section I will demonstrate how to configure KeyCloak to use the IDP Kit as an external identity provider and thus enable authentication via SSI with just a few configuration changes.

Client registration

For simplicity I assume that all basic configuration aspects regarding and and general have already been configured according to the requirements.

Next, we need to register the KeyCloak server with the IDP Kit as an OIDC client.

In this example I will use the command line interface to like so:

waltid-idpkit config --oidc clients register -r https://keycloak.walt-test.cloud/realms/master/broker/waltid-idpkit/endpoint

The command prints the client registration information, from which I need to copy the client_id and client_secret:

{
    [...]
    "redirect_uris":[
        "https:\/\/keycloak.walt-test.cloud\/realms\/master\/broker\/waltid-idpkit\/endpoint"
    ],
    "client_secret":"T38g9qLmw3PboO0zbesyDFNXATrC6R6u-cMQ62g-lWE",
    [...]
    "client_id":"4RxVuuOJOiunktpehKdrT28sA4vbLFQc40eY5DlC_SE"
}

Refer to the KeyCloak documentation, to find out the proper values for the redirection URIs in your setup.

KeyCloak configuration

Now we can configure KeyCloak to connect to the IDP Kit.

To do so, login to the KeyCloak administration console with your admin credentials and navigate to the realm, for which you want to apply the configuration.

External identity provider

Navigate to the Identity Providers section in the left menu bar, open the "Add provider..." drop-down menu and choose "OpenID Connect v1.0":

Fill in Alias and Display Name according to how you want the IDP Kit to be referred to in the Login UI:

Scroll down to Import External IDP Config and enter the URL of the well-known OIDC discovery document of the IDP Kit and click import. For our IDP Kit test deployment, the URL would be:

https://idp.walt-test.cloud/api/oidc/.well-known/openid-configuration

On import, the required endpoints are automatically filled in.
Next we need to provide the client authentication details.
- Scroll to the Client Authentication input field and choose Client secret sent as basic auth.

In order to get properly mapped user data from the IDP Kit, we need to define the OIDC scopes to be used for the authorization request.
- Choose: openid profile

Save the IDP configuration
Now continue with configuring your client application to connect to KeyCloak as authorization server, like usual.