Skip to main content

Create OIDC federation for Keycloak

  1. Configure federation on the Keycloak side.
  2. Create federation on the Servercore side.
  3. Add the Servercore federation ID to the Keycloak federation.
  4. If you enabled automatic user creation when creating the federation on the Servercore side, configure user group mapping.

1. Configure federation on the Keycloak side

  1. In the Keycloak control panel, log in to the administrator account (Administration Console).

  2. Go to the Clients section.

  3. Click Create client.

  4. At the General Settings step:

    4.1. In the Client type field, select OIDC.

    4.2. In the Client ID field, enter an identifier for the client that the application will use as the authorization server name, for example, mobile-client-v1.

    4.3. Click Next.

  5. At the Capability Config step:

    5.1. Enable the Client Authentication toggle.

    5.2. In the Authentication flow block, select the Standard flow.

    5.3. Click Next.

  6. At the Login settings step:

    6.1. In the Home URL field, enter https://my.servercore.com/federated-login.

    6.2. In the Valid Redirect URIs field, enter https://api.servercore.com/v1/auth/federations/oidc/*..

    6.3. Click Save.

2. Create federation on the Servercore side

  1. In the control panel top menu, click IAM.

  2. Go to the Federations section.

  3. Click Add federation and select OpenID Connect (OIDC).

  4. In the Federation settings block:

    4.1. Enter the federation name.

    4.2. Optional: enter the federation description.

    4.3. Change the session lifetime or leave the default value (24 hours). The session defines the time during which a user remains authorized without the need for re-authentication. You can specify a value from 1 to 720 hours.

    Время жизни сессии также можно установить on стороне провайдера Keycloak in параметре SSO Session Max or Assertion Lifespan. Если время жизни сессии установлено and in настройках федерации, and in Keycloak, будет применяться наименьшее значение.

  5. In the IdP settings block:

    5.1. In the IdP Issuer field, enter the identity provider identifier — props.IdIssuer. Specify <idp_url> — your IDP URL.

    5.2. In the Client ID field, enter the identifier that you указали in поле Client ID when configuring the federation on the identity provider side at stage 1 in step 4.2.

    5.3. In the Client Secret field, enter the secret, можно посмотреть in панели управления Keycloak in разделе Client → Client secret.

    5.4. In the Auth URL field, enter the link to the identity provider login page where users will be redirected for authentication via SSO — props.AuthUrl. Specify <idp_url> — your IDP URL.

    5.5. In the Token URL field, enter the token endpoint — props.TokenUrl. Specify <idp_url> — your IDP URL.

    5.6. In the JWSK URI field, enter the endpoint containing certificates — props.JwskUri. Specify <idp_url> — your IDP URL.

    5.7. To create users automatically upon their first login to the control panel via SSO, select the Auto-create users checkbox.

    If the checkbox is selected, you must configure user group mapping. Users will be created with the permissions you specify during mapping configuration. If auto-creation is enabled without configuring mapping, users will be created without permissions and will not have access to the control panel.

    If you do not select the Auto-create users checkbox, you will need to add users manually.

  6. Click Create Federation.

3. Add the Servercore federation ID to the Keycloak federation

  1. In the Keycloak control panel, log in to the administrator account (Administration Console).
  2. Go to the Clients section.
  3. Open the page for the client you created when configuring federation in step 1.
  4. In the Valid Redirect URIs field, enter https://api.servercore.com/v1/auth/federations/oidc/<federation_id>/callback. Specify <federation_id> — the federation ID on the Servercore side, which can be found in the control panel: in the top menu, click IAMFederations → federation row → ID.
  5. Click Save.

4. Configure user group mapping

You must configure group mapping if you enabled automatic user creation when creating the federation on the Servercore side in step 2. Use the Configure group mapping subsection of the User group mapping documentation.