Table of Contents
Keycloak can act as an identity provider as well as identity broker. In this article, we will see how to configure keycloak as identity provider and identity broker. As an identity provider, When an application needs authenticate, the application will be asked to authenticate over the keycloak GUI or CLI, and if the authentication succeeds, the user will be able to access the application.
Even if we have keycloak as the Idenitity and Access Management solution, there are some cases, where we need to use external Idenity and Access Management solutions. But inorder to keep things simple, we can integrate the other IAM solutions via keycloak, thus keycloak will be acting as an Identity broker. The advantage of this approach, is ideally there will be no changes required as the application side to utilize the external IAM solution ( there are some special cases). All the changes can be configured at the keycloak level.
System Requirements
- Rocky Linux 8 VM on VirtualBox ( The same steps work for ubuntu [verified] )
- RAM 4 GB
- 2 VCPUs
- 23 GB HD
- Host OS: Windows 10
Existing behavior
When an application tries to authenticate, they will be redirected to default keycloak login page as below. And with the users configured in this keycloak realm, authentication will happen. Below screenshot shows default login page
Setup Details
For the scope of this article,
- i have two keycloak running on different ports 8085 and 9090.
- The keycloak endpoints are identity_provider and identity_broker
Configuring Identity broker and Identity provider
In many articles available online, the configuration of identity broker and identity provider is explained separately. But in the real scenario both have to go hand in hand.
Step 1 : Change the default theme (Optional)
- I will be changing the default keycloak theme which is keycloak.v2 to keycloak, as it is much more user-friendly (atleast for me)
- This can be done in both identity provider and identity broker keycloak
Login (admin credentials) → Realm Settings → Themes → Select keycloak from the drop down
Step 2 : Create client in the Identity provider
- Login in to identity provider keycloak GUI navigate to Clients
- Create a New client with client Id "Identitiy_providers_client" and the Client protocol "openid-connect"
- Below screen shot shows the same
Step 3: Configure Identity provider details in identity broker server [Part1]
- This is a two part process.
- For identity provider we need to give the identity brokers end point
- In First part we will get Identity provider end point url for identity broker
- Login to the identity broker server and navigate to Identity providers in the realm and select Keycloak OpenID Connect (Or OpenID Connect )
- Once the provider Keycloak OpenID Connect is selected, we will see below screen , where we need to copy Redirect url
Step 4: Configure Client in Identity provider
- We need to configure the client created in Step 2
- We will be updating the field valid redirect url with the url which we copied from the identity broker [Refer Step3]
- Select Access Type as confidential from the drop down
- Post updating the url, it is important that you click save
- After saving the initial configuration , we will seeing a new tab called Credentials , where we can see the credentials for the client.
- This client secret is required for the identity broker
Step 5: Create Identity provider details in identity broker server [Part 2]
Get OpenID Endpoint Configuration from Identity Provider
- Login to the keycloak identity provider, and from the realm where the client is created, get the endpoint configuration
- Login → Select Realm (in my case master) → Realm Setting → Copy Link for Open Id End point configuration
Provide Open ID Endpoint details in Identity Broker
- Since we already have opened the Identity broker's identity provider tab [follow step3]. We can continue to configure other parameter
- In the Import External IDP Config Section, import the configuration with the url which we have copied from the above step
- Once we click import, we can see other details like Auth url, token url got filled
Provide Client Id and Client secret
- Provide, the client Id and Client secret which we have got from Step 4
- In the field Client Authentication , from the drop down select Client Secret sent as Post
Verify Identity provider and Identity broker
- We will try to login to the identity broker keycloak, which is the interface for application for authentication.
- We could see that an extra option to login was seen in the login screen which is different from the existing login screen
- Once we select the keycloak-oidc login (Identity provider), we will be redirected to the identity providers login page, where we can login with the user which is configured in the identity provider, in my case, i had already created a user identity_providers_user
- Once login is successful, we will asked to enter other required details of the user ( this is customizable)
- After the details are entered, we will taken to the application automatically, in my case i got redirected to the keycloak gui only , but with a forbidden error
- The forbidden error is below the user in the Identity provider didn't had access to view my master realm, but with required permission and role this error can be avoided. But this is a topic for another article and not in scope of this article
Possible Error screen
- Some cases, rather redirecting to the required url, we may see the below error screen , with message "Unexpected error when authenticating with identity provider".
- The error can be solved by adding the cacert of the identity provider in the trusted store of the identity broker
- Procedure for adding the cacert to the truststore of the identity broker is available here or refer server installation guide available here
Verifying Identity provider user in Identity broker
- After a successful login with the user from the identity provider, the same user will get saved in the identity broker ( this is configurable)
- Login to the realm → Users
- We will be able to see the user which we used to authenticate (from identity provider) available in the identity broker
- In the user details, we can see that, a tab called Identity Provider Links, where our Identity provider Alias can be seen
