search
ProductsCommunityGitHubShare Feedback

IAM / KeyCloak integration

Since the IDP Kit is compliant with the well adopted OpenID Connect standard for identity provision, it can be easily integrated, as a federated identity provider, with third party Identity and Access Management systems (IAM), such as KeyCloakarrow-up-right.

In this section I will demonstrate how to configure KeyCloak to use the IDP Kit as an external identity provider and thus enable authentication via SSI with just a few configuration changes.

hashtag
Client registration

For simplicity I assume that all basic configuration aspects regarding OIDC Manager and SIOP Manager and general IDP Kit configuration have already been configured according to the requirements.

Next, we need to register the KeyCloak server with the IDP Kit as an OIDC client.

In this example I will use the command line interface to register a new client like so:

waltid-idpkit config --oidc clients register -r https://keycloak.walt-test.cloud/realms/master/broker/waltid-idpkit/endpoint

The command prints the client registration information, from which I need to copy the client_id and client_secret:

{
    [...]
    "redirect_uris":[
        "https:\/\/keycloak.walt-test.cloud\/realms\/master\/broker\/waltid-idpkit\/endpoint"
    ],
    "client_secret":"T38g9qLmw3PboO0zbesyDFNXATrC6R6u-cMQ62g-lWE",
    [...]
    "client_id":"4RxVuuOJOiunktpehKdrT28sA4vbLFQc40eY5DlC_SE"
}

Refer to the KeyCloak documentation, to find out the proper values for the redirection URIs in your setup.

circle-info

To register the client at runtime, you can also make use of the dynamic client registration API.

hashtag
KeyCloak configuration

Now we can configure KeyCloak to connect to the IDP Kit.

To do so, login to the KeyCloak administration console with your admin credentials and navigate to the realm, for which you want to apply the configuration.

hashtag
External identity provider

  • Navigate to the Identity Providers section in the left menu bar, open the "Add provider..." drop-down menu and choose "OpenID Connect v1.0":

KeyCloak Identity Providers

  • Fill in Alias and Display Name according to how you want the IDP Kit to be referred to in the Login UI:

KeyCloak IDP Name and Alias

  • Scroll down to Import External IDP Config and enter the URL of the well-known OIDC discovery document of the IDP Kit and click import. For our IDP Kit test deployment, the URL would be:

https://idp.walt-test.cloud/api/oidc/.well-known/openid-configuration

KeyCloak IDP import

  • On import, the required endpoints are automatically filled in.

  • Next we need to provide the client authentication details.

    • Scroll to the Client Authentication input field and choose Client secret sent as basic auth.

    • Then fill in Client ID and Client Secret with the values obtained from the client registration.

KeyCloak client authentication

  • In order to get properly mapped user data from the IDP Kit, we need to define the OIDC scopes to be used for the authorization request.

    • Choose: openid profile

KeyCloak client authentication

  • Save the IDP configuration

  • Now continue with configuring your client application to connect to KeyCloak as authorization server, like usual.

PreviousSign-in with Algorand (SIWA)NextOpen Source | Always Free

Last updated

Was this helpful?