Introduction
In this document you will learn how to configure Keycloak, an open source identity and access management solution, to use it as an Identity Provider (IdP) for the Denodo Solution Manager:
- In Keycloak we will see how to:
- Create a Realm in Keycloak.
- Create a Role.
- Create a User.
- Create client applications to authenticate using OpenIdD and SAML.
- In Denodo we will see how to:
- Enable single sign-on (SSO) in the Denodo Solution Manager 9.0, using your Keycloak account.
NOTE: This document has been tested with Keycloak 24.0.1.
Keycloak configuration
The first thing to do on the Keycloak side is creating the following elements:
- Realm
- Role
- User
Realm creation
Log in to your Keycloak server.
You will be redirected to the home page where the default realm “Master” is selected under the “Keycloak” dropdown. Click on the arrow at the right side of the “Keycloak” text and click on “Create Realm” to create a new one.
We will create a realm named “denodo90”.
Role creation
In order to create a new Role, go to the left panel and click on “Realm roles”.
We will create a role named “myrole”. Note that we will need to create a role with the same name in the Denodo Solution Manager later.
User creation
To create a new user, go to the left panel again and click on “Users” and then “Create new user”.
We will create a user named “denodo” as follows:
Note that, when saved, new tabs will appear to configure additional aspects of the user.
Go to the “Role Mappings” tab and assign “myrole” to the user.
Go to the “Credentials” tab and set a password for the new user.
Click on “Save” and your user is ready.
Solution Manager configuration
Log in to your Solution Manager as administrator and create a new role with the same name as the Keycloak role.
Click on “New” to create a new role.
Create the role with the same name as the Keycloak role as follows and click on “Save”.
Finally, we will need to assign existing roles to the role.
To keep thing simple, we will just assign the “global_admin” role to “myrole”.
Click on “Save” and the role is already available.
Single Sign-On with OpenID
Keycloak configuration
In order to register a client using OpenID go to the left panel and click on “Clients”. Then click on the “Create client” button.
We will create a client called “denodo90” with “OpenID Connect” as “Client type”.
Click on “Next”.
Turn “Client authentication” and “Authorization” to “On”.
Then, click “Next” again and “Save” to complete the client configuration..
Once the client has been created, a new form with different tabs will be displayed to complete the configuration of the client.
In the “Settings” tab enter the following information:
- Enabled: On
- Client ID: denodo90
- Root URL: http://<solution_manager_host>:<port>/sso/sso-openid/openid-login
- Valid Redirect URIs: http://<solution_manager_host>:<port>/sso/sso-openid/openid-login/*
(You can also enter a * in this field if you would like to allow any redirect URI as a valid one for testing purposes)
- Web Origins: http://<solution_manager_host>:<port>/*
- Admin URL: http://<solution_manager_host>:<port>/sso/sso-openid/openid-login
- Client authentication: On
- Authorization: On
- Authorization Standard flow: On
- Direct access grants: On
- Login Theme: Leave blank or select “Base” or “Keycloak”.
- Front channel logout: On
- Backchannel logout session required: On
Click on “Save” after filling the form.
The next step to configure the client is to include new “Mappers” to define the tokens that Keycloak and the Denodo Solution manager will handle. Click on the “Client scopes” tab (under the current client, not the “Client scopes” text on the left side) and click in the assigned client scope section “denodo90-dedicated”. It will display a dialog with the “Mappers”.
Apart from the current “Client IP Address”, “Client Host” and “Client ID” mappers, we will include:
- realm roles
- client roles
- groups
So, click on ”Add mapper” , then on “From predefined mappers” and search those mappers. After doing so the configuration should look like this:
With this, the Keycloak side is configured. We just need to get some information that will be used in the Denodo Solution Manager Configuration.
In the Client details, click on the “Credentials” tab to get the Secret.
Go to “Realm Settings” on the left panel and click on “OpendID Endpoint Configuration” to open the details of the connection where the endpoints are available.
Save the data displayed as we will need them to complete the Solution Manager configuration.
Solution Manager configuration
Access your Solution Manager web administration tool as administrator and go to “Configuration” > “Authentication”.
Expand the “Single Sign On Configuration” and fill the form as follows:
Where:
- Client ID is the name of the Keycloak client.
- Client secret is the Secret available in the “Credentials” tab of the client.
- User authorization URI is the “authorization_endpoint” available in the “OpendID Endpoint Configuration”.
- Access token URI is the “token_endpoint” available in the “OpendID Endpoint Configuration”.
- Issuer is the “issuer“ available in the “OpendID Endpoint Configuration”.
- JWKS URL is the “jwks_uri” in the “OpendID Endpoint Configuration”.
- Default process URI: /sso-openid/openid-login
- Scopes: roles,profile,openid,offline_access
- Extract roles from token: Yes
- Token role field: groups
Click the save button. It will take a moment for the authentication settings to reset and take effect. You should now be able to log out and log back in with Single Sign On using the user created above.
Single Sign-On with SAML
The simplest method for setting up the SAML configuration is to download the XML Metadata File from Solution Manager and then upload it to create the client in the Keycloak Denodo realm. As of version 24.0.1, Keycloak does not allow loading the XML file to an existing client, so to add the configuration to an existing Keycloak client, the settings must be configured manually and the certs must be exchanged using the keytool. For more information, see the user manual Enable SSL/TLS in the Denodo Platform.
To set up the SAML configuration by uploading the XML Metadata File, ensure the Denodo realm and appropriate users and role mappings are created in Keycloak as explained above. In “Realm settings” for the denodo90 realm, find the URL for “SAML 2.0 Identity Provider Metadata”
Solution Manager Configuration
Access your Solution Manager web administration tool as administrator and go to “Configuration” > “Authentication”.
Expand the “Single Sign On Configuration” and fill the form as follows:
- SAML entity ID: The entity ID uniquely identifies your Solution Manager installation to the IdP. Therefore it should be something like:
http://<solution_manager_host>:<port>/saml
- Base URL: the base URL of the web container. It will be used as the base URL for the Assertion Consumer Service in SAML requests to the IdP.
http://<solution_manager_host>:<port>/
- SAML signing request: If enabled, the Solution Manager will sign authorization requests to the IdP. You can set it to “Yes”.
- Identity provider metadata URL: The value is the URL that we saved previously containing the description of the service in Keycloak. It is available in “Realm settings” at the “SAML 2.0 Identity Provider Metadata” link and will have a format similar to:
http://localhost:8080/realms/denodo90/protocol/saml/descriptor
Where “denodo90” is the name of the realm created before.
- Extract roles from SAML assertion: True. (If true, the roles will be retrieved from Keycloak).
- Assertion role field: Role (the name of the SAML assertion used to extract roles).
Click on “Save” and wait for the Solution Manager authentication server to reset.
Click the “Download XML Metadata File” and save the file so that it can be uploaded to Keycloak.
Keycloak configuration
In order to register a client using SAML go to the left panel and click on “Clients”. Then, click on the “Import Client” button to use the previously downloaded XML file to create the client.
In the Import client screen, upload the XML file to the “Resource file” section.
This will import the certificate as well as all the settings necessary to register the Solution Manager as a client in Keycloak.
Click Save to create the client.
The client will have the name “http://127.0.0.1:19090/saml” as configured in the Solution Manager “SAML entity ID” textbox and should be configured properly and ready for Single Sign On.
For reference, here are the settings:
- Client ID: http://solution_manager_host:port/saml
- Enabled: On
- Valid redirect URIs: http://solution_manager_host:port/sso/sso-saml/SSO (for testing, this can be changed to http://solution_manager_host:port/* or *)
- Name ID format: username
- Force POST binding: On
- Include AuthnStatement: On
- Sign documents: On
- Sign assertions: On
- Signature Algorithm: RSA-SHA156
- SAML signature key name: KEY_ID
- Canonicalization method: EXCLUSIVE
- Login theme: keycloak
- Consent required: On
- Front channel logout: On
On the “Advanced” tab under “Fine Grain SAML Endpoint Configuration”:
- Assertion Consumer Service Redirect Binding URL: http://solution_manager_host:port/sso/sso-saml/SSO
Logout of Solution Manager and use the link http://solution_manager_host:port/solution-manager-web-tool/Login to test the SSO log in.
Click on Single Sign On and the Keycloak login page will be displayed.
Log in with the Keycloak user and you will be redirected to the Solution Manager web tool.
References
Authenticating with Single Sign-On
The information provided in the Denodo Knowledge Base is intended to assist our users in advanced uses of Denodo. Please note that the results from the application of processes and configurations detailed in these documents may vary depending on your specific environment. Use them at your own discretion.
For an official guide of supported features, please refer to the User Manuals. For questions on critical systems or complex environments we recommend you to contact your Denodo Customer Success Manager.
Recommended resources Recommendations generated by AI
Questions
