Keycloak configuration

Prerequisites

This procedure assumes an existing Keycloak deployment to which you have administrative access. Specifically, you must have permission to create and configure Realms, Clients, Client Scopes, Realm Roles, Users, and Groups on the Keycloak deployment.

Step-by-step procedure

1. Create a new realm

   

2. Set a Display name for the realm and optionally configure the SMTP server (in Email tab) and enable the brute force detection (in Security defenses tab)

   

3. Configure an Authentication policy to match your company policy

4. Create a ‘metavault’ client and specify

   1. Client ID → metavault

   2. Name → metavault

      

   3. Disable Direct access grants

      

   4. Root URL → the base URL for the metavault component (example : http://beVault.example.local)

   5. Valid redirect URLs → /*

   6. Web origins → +

      

5. Create a ‘states’ client and specify

   1. Client ID → states

   2. Name → States

      

   3. Disable Direct access grants

      

   4. Root URL → the base URL for the metavault component (example : http://orchestrator.example.local)

   5. Valid redirect URLs → /*

   6. Web origins → +

      

6. Adapt metavault component configuration, see Metavault Configuration | Authentication

   1. Authority → <keycloak_base_url>/realms/<realm_name> (example: https://keycloak.dfakto.com/realms/bevault)

   2. ClientId → metavault

   3. Audience → account

7. Adapt states component configuration keys, see States Configuration | Authentication

   1. Authority → <keycloak_base_url>/realms/<realm_name> (example: https://keycloak.dfakto.com/realms/bevault)

   2. ClientId → states

   3. Audience → account

Go further

• If you want to integrate an external Identity provider to your Keycloak configuration → https://www.keycloak.org/docs/latest/server_admin/#_identity_broker

• Useful links regarding Keycloak

  • https://www.keycloak.org/guides

  • https://www.keycloak.org/docs/latest/server_admin/