Applies to:
Denodo 8.0
Last modified on: 22 Jun 2021
Tags:
Administration
Keycloak
OpenID
SAML
SSO
Security
Solution Manager
In this document you will learn how to configure Keycloak, an open source identity and access management solution, to use it as an Identity Provider (IdP) for the Denodo Solution Manager:
NOTE: This document only applies to Denodo 8.0.
The first thing to do on the Keycloak side is creating the following elements:
Log in to your Keycloak server.
You will be redirected to the home page where the default realm “Master” is selected. Click in the arrow at the right side of the default “Master” realm and click on “Add realm” to create a new one.
We will create a realm named “denodo80”.
In order to create a new Role, go to the left panel and click on “Roles”.
We will create a role named “myrole”. Note that we will need to create a role with the same name in the Denodo Solution Manager later.
To create a new user, go to the left panel again and click on “Users” and then “Add user”.
We will create a user named “denodo” as follows:
Note that, when saved, new tabs will appear to configure additional aspects of the user.
Go to the “Role Mappings” tab and assign “myrole” to the user.
Go to the “Credentials” tab and set a password for the new user.
Click on “Set Password” and your user is ready.
Log in to your Solution Manager as administrator and create a new role with the same name as the Keycloak role.
Click on “New” to create a new role.
Create the role as follows and click on “Save”.
Finally, we will need to assign existing roles to the role.
To keep thing simple, we will just assign the “global_admin” role to “myrole”.
Click on “Save” and the role is already available.
In order to register a client using OpenID go to the left panel and click on “Clients”. Then click on the “Create” button.
We will create a client called “denodo80” with “openid-connect” as “Client Protocol”. Leave the “Root URL” blank and click con “Save”.
Once the client has been created, a new form with different tabs will be displayed to complete the configuration of the client.
In the “Settings” tab enter the following information:
Click on “Save” after filling the form.
The next step to configure the client is to include new “Mappers” to define the tokens that Keycloak and the Denodo Solution manager will handle. Click on the “Mappers” tab and press the button “Add Builtin”.
Apart from the current “Client IP Address”, “Client Host” and “Client ID” mappers, we will include:
After including the new “Mappers” the configuration should look like this:
With this the Keycloak side is configured. We just need to get some information that will be used in the Denodo Solution Manager Configuration.
In the Client details, click on the “Credentials” tab to get the Secret.
Go to “Realm Settings” on the left panel and click on “OpendID Endpoint Configuration” to open the details of the connection where the endpoints are available.
Save the data displayed as we will weed them to complete the Solution Manager configuration.
Access your Solution Manager web administration tool as administrator and go to “Configuration” > “Authentication”.
Expand the “Single Sign On Configuration” and fill the form as follows:
Where:
In order to register a client using OpenID go to the left panel and click on “Clients”. Then click on the “Create” button.
The first step to create the client is to fill the Client ID pointing to the client application we want to connect to Keycloak, in this case the Solution Manager.
In this case, we have our Denodo Solution Manager deployed in our server using the default configuration.
Click on “Save” and a new form will be created to complete the configuration of the application.
You can configure the client as follows:
In the “Fine Grain SAML Endpoint Configuration” section:
Now, click on the “Realm Settings” section and go to the "SAML 2.0 Identity Provider Metadata”.
This will open a new tab in your browser with the description of the IdP.
Save the URL as it will be used in the Solution Manager configuration.
This XML contains a description of the service and will be used by Solution Manager.
Now it is time to configure the Solution Manager.
Access your Solution Manager web administration tool as administrator and go to “Configuration” > “Authentication”.
Expand the “Single Sign On Configuration” and fill the form as follows:
http://<solution_manager_host>:<port>/saml
http://<solution_manager_host>:<port>/SSO
http://localhost:7070/auth/realms/denodo80/protocol/saml/descriptor
Where “denodo80” is the name of the realm created before. The URL can be obtained in the Realm details page.
Click on “Save” and the Solution Manager configuration is completed.
Click on Single sign On and the Keycloak login page will be displayed.
Authenticating with Single Sign-On