You can translate the document:

Introduction

In this document you will learn how to configure Keycloak, an open source identity and access management solution, to use it as an Identity Provider (IdP) for the Denodo Solution Manager: 

  • In Keycloak we will see how to:
  • Create a Realm in Keycloak.
  • Create a Role.
  • Create a User.
  • Create client applications to authenticate using OpenIdD and SAML.

  • In Denodo we will see how to:
  • Enable single sign-on (SSO) in the Denodo Solution Manager 8.0, using your Keycloak account.

NOTE: This document has been tested with Keycloak 21.0.1.

Keycloak  configuration

The first thing to do on the Keycloak side is creating the following elements:

  • Realm
  • Role
  • User

Realm creation

Log in to your Keycloak server.

You will be redirected to the home page where the default realm “Master” is selected. Click in the arrow at the right side of the default “Master” realm and click on “Create Realm” to create a new one.

 

We will create a realm named “denodo80”.

Role creation

In order to create a new Role, go to the left panel and click on “Realm roles”.

We will create a role named “myrole”. Note that we will need to create a role with the same name in the Denodo Solution Manager later.

User creation

To create a new user, go to the left panel again and click on “Users” and then “Create new user”.

We will create a user named “denodo” as follows:

Note that, when saved, new tabs will appear to configure additional aspects of the user.

Go to the “Role Mappings” tab and assign “myrole” to the user.

 

Go to the “Credentials” tab and set a password for the new user.

Click on “Save” and your user is ready.

Solution Manager configuration

Log in to your Solution Manager as administrator and create a new role with the same name as the Keycloak role.

Click on “New” to create a new role.

Create the role as follows and click on “Save”.

Finally, we will need to assign existing roles to the role.

To keep thing simple, we will just assign the “global_admin” role to “myrole”.

Click on “Save” and the role is already available.

Single Sign-On with OpenID

Keycloak configuration

In order to register a client using OpenID go to the left panel and click on “Clients”. Then click on the “Create client” button.

We will create a client called “denodo80” with “OpenID Connect” as “Client type”. Click on “Next” and “Save”.

Once the client has been created, a new form with different tabs will be displayed to complete the configuration of the client.

In the “Settings” tab enter the following information:

  • Enabled: On
  • Client ID: denodo80
  • Root URL: http://<solution_manager_host>:<port>/sso/sso-openid/openid-login
  • Valid Redirect URIs: http://<solution_manager_host>:<port>/sso/sso-openid/openid-login/*

(You can also enter a * in this field if you would like to allow any redirect URI as a valid one for testing purposes)

  • Web Origins: http://<solution_manager_host>:<port>/*
  • Admin URL: http://<solution_manager_host>:<port>/sso/sso-openid/openid-login
  • Client authentication: On
  • Authorization: On
  • Authorization Standard flow: On
  • Direct access grants: On
  • Login Theme: Leave blank or select “Base” or “Keycloak.
  • Front channel logout: On
  • Backchannel logout session required: On

Click on “Save” after filling the form.

The next step to configure the client is to include new “Mappers” to define the tokens that Keycloak and the Denodo Solution manager will handle. Click on the “Client scopes” tab and press in  the assigned client scope “denodo80-dedicated”. It will display a dialog with the “Mappers”.

Apart from the current “Client IP Address”,  “Client Host” and “Client ID” mappers, we will include:

  • realm roles
  • client roles
  • groups

So, click on ”Add mapper” , then on “From predefined mappers”and search those mappers. After doing that the configuration should look like this:

With this the Keycloak side is configured. We just need to get some information that will be used in the Denodo Solution Manager Configuration.

In the Client details, click on the “Credentials” tab to get the Secret.

Go to “Realm Settings” on the left panel and click on “OpendID Endpoint Configuration” to open the details of the connection where the endpoints are available.

 

Save the data displayed as we will weed them to complete the Solution Manager configuration.

Solution Manager configuration

Access your Solution Manager web administration tool as administrator and go to “Configuration” > “Authentication”.

Expand the “Single Sign On Configuration” and fill the form as follows:

Where:

  • Client ID is the name of the Keycloak client.
  • Client secret is the Secret available in the “Credentials” tab of the client.
  • User authorization URI is the “authorization_endpoint” available in the “OpendID Endpoint Configuration”.
  • Access token URI is the “token_endpoint” available in the “OpendID Endpoint Configuration”.
  • Issuer is the “issuer“ available in the “OpendID Endpoint Configuration”.
  • JWKS URL is the “jwks_uri” in the “OpendID Endpoint Configuration”.
  • Default process URI: /sso-openid/openid-login
  • Scopes: roles,profile,openid,offline_access
  • Extract roles from token: Yes
  • Token role field: groups

Single Sign-On with SAML

Keycloak configuration

In order to register a client using OpenID go to the left panel and click on “Clients”. Then click on the “Create Client” button.

The first step to create the client is to select the Client type as ”SAML” and fill the Client ID pointing to the client application we want to connect to Keycloak, in this case the Solution Manager.

Click on “Save” and a new form will be created to complete the configuration of the application.

You can configure the client as follows:

  • Client ID: http://solution_manager_host:port/saml
  • Enabled: On
  • Valid redirect URIs: http://solution_manager_host:port/*
  • Name ID format: username
  • Include AuthnStatement: On
  • Sign documents: On
  • Sign assertions: On
  • Signature Algorithm: RSA-SHA156
  • SAML signature key name: KEY_ID
  • Canonicalization method: EXCLUSIVE
  • Login theme: keycloak
  • Consent required: On
  • Front channel logout: On

Then, go to the “Advanced” tab and in the “Fine Grain SAML Endpoint Configuration” introduce:

  • Assertion Consumer Service Redirect Binding URL: http://solution_manager_host:port/sso/sso-saml/SSO

Now, click on the “Realm Settings” section and go to the "SAML 2.0 Identity Provider Metadata”.

This will open a new tab in your browser with the description of the IdP.

Save the URL as it will be used in the Solution Manager configuration.

This XML contains a description of the service and will be used by Solution Manager.

Solution Manager configuration

Now it is time to configure the Solution Manager.

Access your Solution Manager web administration tool as administrator and go to “Configuration” > “Authentication”.

Expand the “Single Sign On Configuration” and fill the form as follows:

  • SAML entity ID: The entity ID uniquely identifies your Solution Manager installation to the IdP. Therefore it should be something like:

http://<solution_manager_host>:<port>/saml

  • Base URL: the base URL of the web container. It will be used as the base URL for the Assertion Consumer Service in SAML requests to the IdP.

http://<solution_manager_host>:<port>/

  • SAML signing request: If enabled, the Solution Manager will sign authorization requests to the IdP. You can set it to “Yes”.
  • Identity provider metadata URL:  The value is the URL that we saved previously containing the description of the service in Keycloak. And should be something like:

http://localhost:8080/realms/denodo80/protocol/saml/descriptor

Where “denodo80” is the name of the realm created before. The URL can be obtained in the Realm details page.

  • Extract roles from SAML assertion: True. (If true, the roles will be retrieved from Keycloak).
  • Assertion role field: Role (the name of the SAML assertion used to extract roles).

Click on “Save” and the Solution Manager configuration is completed.

 

Click on Single sign On and the Keycloak login page will be displayed.

References

Denodo Security Token

Authenticating with Single Sign-On

SAML Configuration

Questions

Ask a question

You must sign in to ask a question. If you do not have an account, you can register here