Introduction
In this document you will learn how to configure Keycloak, an open source identity and access management solution, to use it as an Identity Provider (IdP) for the Denodo Solution Manager:
- In Keycloak we will see how to:
- Create a Realm in Keycloak.
- Create a Role.
- Create a User.
- Create client applications to authenticate using OpenIdD and SAML.
- In Denodo we will see how to:
- Enable single sign-on (SSO) in the Denodo Solution Manager 8.0, using your Keycloak account.
NOTE: This document only applies to Denodo 8.0.
Keycloak configuration
The first thing to do on the Keycloak side is creating the following elements:
- Realm
- Role
- User
Realm creation
Log in to your Keycloak server.
You will be redirected to the home page where the default realm “Master” is selected. Click in the arrow at the right side of the default “Master” realm and click on “Add realm” to create a new one.
We will create a realm named “denodo80”.
Role creation
In order to create a new Role, go to the left panel and click on “Roles”.
We will create a role named “myrole”. Note that we will need to create a role with the same name in the Denodo Solution Manager later.
User creation
To create a new user, go to the left panel again and click on “Users” and then “Add user”.
We will create a user named “denodo” as follows:
Note that, when saved, new tabs will appear to configure additional aspects of the user.
Go to the “Role Mappings” tab and assign “myrole” to the user.
Go to the “Credentials” tab and set a password for the new user.
Click on “Set Password” and your user is ready.
Solution Manager configuration
Log in to your Solution Manager as administrator and create a new role with the same name as the Keycloak role.
Click on “New” to create a new role.
Create the role as follows and click on “Save”.
Finally, we will need to assign existing roles to the role.
To keep thing simple, we will just assign the “global_admin” role to “myrole”.
Click on “Save” and the role is already available.
Single Sign-On with OpenID
Keycloak configuration
In order to register a client using OpenID go to the left panel and click on “Clients”. Then click on the “Create” button.
We will create a client called “denodo80” with “openid-connect” as “Client Protocol”. Leave the “Root URL” blank and click con “Save”.
Once the client has been created, a new form with different tabs will be displayed to complete the configuration of the client.
In the “Settings” tab enter the following information:
- Client ID: denodo80
- Name: denodo80
- Enabled: On
- Always Display in Console: Off
- Consent Required: On
- Display Client On Consent Screen: Off
- Login Theme: Leave blank or select “Base” or “Keycloak”.
- Client Protocol: openid-connect
- Access Type: Confidential
- Standard Flow Enabled: On
- Implicit Flow Enabled: Off
- Direct Access Grants Enabled: Off
- Service Accounts Enabled: On
- OAuth 2.0 Device Authorization Grant Enabled: Off
- Authorization Enabled: On
- Valid Redirect URIs: http://<solution_manager_host>:<port>/sso/sso-openid/openid-login/*
(You can also enter a * in this field if you would like to allow any redirect URI as a valid one for testing purposes)
- Base URL: http://<solution_manager_host>:<port>/sso/sso-openid/openid-login
- Admin URL: http://<solution_manager_host>:<port>/sso/sso-openid/openid-login
- Web Origins: http://<solution_manager_host>:<port>
Click on “Save” after filling the form.
The next step to configure the client is to include new “Mappers” to define the tokens that Keycloak and the Denodo Solution manager will handle. Click on the “Mappers” tab and press the button “Add Builtin”.
Apart from the current “Client IP Address”, “Client Host” and “Client ID” mappers, we will include:
- realm roles
- client roles
- groups
After including the new “Mappers” the configuration should look like this:
With this the Keycloak side is configured. We just need to get some information that will be used in the Denodo Solution Manager Configuration.
In the Client details, click on the “Credentials” tab to get the Secret.
Go to “Realm Settings” on the left panel and click on “OpendID Endpoint Configuration” to open the details of the connection where the endpoints are available.
Save the data displayed as we will weed them to complete the Solution Manager configuration.
Solution Manager configuration
Access your Solution Manager web administration tool as administrator and go to “Configuration” > “Authentication”.
Expand the “Single Sign On Configuration” and fill the form as follows:
Where:
- Client ID is the name of the Keycloak client.
- Client secret is the Secret available in the “Credentials” tab of the client.
- User authorization URI is the “authorization_endpoint” available in the “OpendID Endpoint Configuration”.
- Access token URI is the “token_endpoint” available in the “OpendID Endpoint Configuration”.
- Issuer is the “issuer“ available in the “OpendID Endpoint Configuration”.
- JWKS URL is the “jwks_uri” in the “OpendID Endpoint Configuration”.
- Default process URI: /sso-openid/openid-login
- Scopes: roles,profile,openid,offline_access
- Extract roles from token: Yes
- Token role field: groups
Single Sign-On with SAML
Keycloak configuration
In order to register a client using OpenID go to the left panel and click on “Clients”. Then click on the “Create” button.
The first step to create the client is to fill the Client ID pointing to the client application we want to connect to Keycloak, in this case the Solution Manager.
In this case, we have our Denodo Solution Manager deployed in our server using the default configuration.
Click on “Save” and a new form will be created to complete the configuration of the application.
You can configure the client as follows:
- Client ID: http://solution_manager_host:port/saml
- Name: as required
- Description: as required
- Enabled: On
- Always Display in Console: Off
- Consent Required: On
- Display Client On Consent Screen: Off
- Login Theme: Leave blank or select “Base” or “Keycloak”.
- Client Protocol: saml
- Include AuthnStatement: On
- Include OneTimeUse Condition: Off
- Force Artifact Binding: Off
- Sign Documents: On
- Optimize REDIRECT signing key lookup: Off
- Sign Assertions: On
- Signature Algorithm: RSA_SHA256
- SAML Signature Key Name: KEY_ID
- Canonicalization Method: EXCLUSIVE
- Encrypt Assertions: Off
- Client Signature Required: Off
- Force POST Binding: Off
- Front Channel Logout: Off
- Force Name ID Format: Off
- Name ID Format: username
- Root URL: Leave blank.
- Valid Redirect URIs: http://solution_manager_host:port/*
- Base URL: Leave blank.
- Master SAML Processing URL: Leave blank.
- IDP Initiated SSO URL Name: Leave blank.
- IDP Initiated SSO Relay State: Leave blank.
In the “Fine Grain SAML Endpoint Configuration” section:
- Assertion Consumer Service Redirect Binding URL: http://solution_manager_host:port/sso/sso-saml/SSO
Now, click on the “Realm Settings” section and go to the "SAML 2.0 Identity Provider Metadata”.
This will open a new tab in your browser with the description of the IdP.
Save the URL as it will be used in the Solution Manager configuration.
This XML contains a description of the service and will be used by Solution Manager.
Solution Manager configuration
Now it is time to configure the Solution Manager.
Access your Solution Manager web administration tool as administrator and go to “Configuration” > “Authentication”.
Expand the “Single Sign On Configuration” and fill the form as follows:
- SAML entity ID: The entity ID uniquely identifies your Solution Manager installation to the IdP. Therefore it should be something like:
http://<solution_manager_host>:<port>/saml
- Base URL: the base URL of the web container. It will be used as the base URL for the Assertion Consumer Service in SAML requests to the IdP.
http://<solution_manager_host>:<port>/
- SAML signing request: If enabled, the Solution Manager will sign authorization requests to the IdP. You can set it to “Yes”.
- Identity provider metadata URL: The value is the URL that we saved previously containing the description of the service in Keycloak. And should be something like:
http://localhost:7070/auth/realms/denodo80/protocol/saml/descriptor
Where “denodo80” is the name of the realm created before. The URL can be obtained in the Realm details page.
- Extract roles from SAML assertion: True. (If true, the roles will be retrieved from Keycloak).
- Assertion role field: Role (the name of the SAML assertion used to extract roles).
Click on “Save” and the Solution Manager configuration is completed.
Click on Single sign On and the Keycloak login page will be displayed.
References
Authenticating with Single Sign-On