Skip to main content

RedactManager Documentation

Identity Provider: Keycloak

Keycloak is an open-source solution for sophisticated identity and access management.

It offers 4 user management options:

  1. Integrated user management (internal)

  2. OIDC (OpenID Connect)

  3. SAMLv2 (Security Assertion Markup Language 2.0)

  4. LDAP (Lightweight Directory Access Protocol)

Keycloak has its own user directory, but it is also possible to integrate SAMLv2 and LDAP/S.

Please find below the configuration instructions for OIDC, SAMLv2, and LDAP.

OIDC

To configure an OIDC user-managed setup, please follow the steps below:

  1. Open keycloak.

  2. Go to Identity Providers.

  3. Click Add Provider.

  4. Select OpenID Connect v1.0.

  5. Enter the following configuration parameters:

    1. Note down the Redirect URI

    2. Set Alias to oidc

    3. Store Tokens to ON

    4. Trust Email to ON

    5. Account Linking Only to OFF

    6. Hide on Login Page to OFF

    7. Sync Mode to force

  6. In the Import External IDP config section at the bottom of the page:

    1. import the .well-known/openid-configuration endpoint via Import from URL

    2. Change the Client Authentication

  7. Insert the following parameters from your provider into the OpenID Connect Config:

    1. Client Authentication, use Client secret send as post if you are unsure.

    2. Client ID

    3. Client Secret

  8. Click Save.

    The OpenID setup is now complete.

SAMLv2 User

To configure a SAMLv2 user-managed setup, please follow the steps below:

  1. Open keycloak.

  2. Go to Identity Providers.

  3. Click Add Provider.

  4. Select SAML v.2.0.

  5. Enter the following configuration parameters:

    1. Note down the Redirect URI

    2. Set Alias to azuread

    3. Display Name to Azure AD

    4. Store Tokens to ON

    5. Stored Tokens Readable to ON

    6. Trust Email to ON

    7. Account Linking Only to OFF

    8. Hide on Login Page to OFF

    9. Sync Mode to force

  6. Create a SAML connector on the provider side with the Redirect URI from the last step

  7. Insert the following parameters from your provider:

    1. Service Provider Entity ID

    2. Single Sign-On Service URL

    3. Single Logout Service URL; set the Principal of the user (example from Azure AD)

    4. NameID Policy Format to Persistent

    5. Principal Attribute to ON (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name)

    6. Allow create to ON,

    7. HTTP-POST Binding Response to ON

    8. the rest to OFF

  8. If you want a validated signature:

    1. Validate Signature to ON

    2. Validating X509 Certificates should be the certificate in PEM format

  9. Click Save.

  10. Additional mappers are needed for user mapping: Click on the Mappers tab.

  11. To create an e-mail mapper, click Create. The following attributes have to be set exactly as follows:

    1. Name to email

    2. Sync Mode Override to inherit

    3. Mapper Type to Attribute Importer

    4. Attribute Name to http://schemas.xmlsoap.org/ws

    5. User Attribute Name to email

    6. Click Save.

  12. To create the firstName mapper, click Create. The following attributes have to be set exactly as follows:

    1. Name to firstName

    2. Sync Mode Override to inherit

    3. Mapper Type to Attribute Importer

    4. Attribute Name to http://schemas.xmlsoap.org/ws

    5. User Attribute Name to firstName

    6. Click Save.

  13. To create the email lastName mapper, click Create. The following attributes have to be set exactly as follows:

    1. Name to lastName

    2. Sync Mode Override to inherit

    3. Mapper Type to Attribute Importer

    4. Attribute Name to http://schemas.xmlsoap.org/ws

    5. User Attribute Name to lastName

    6. Click Save.

      The SAMLv2 setup is now complete.

LDAP User

To configure an LDAP user-managed setup, please follow the steps below:

  1. Open keycloak.

  2. Go to User Federation.

  3. Click Add Provider.

  4. Enter the following configuration parameters:

    1. Console Display Name you would like to use

    2. Set Import Users to ON

    3. Edit Mode to UNSYNCED

    4. Sync Registrations to OFF

    5. Vendor to your vendor (or other for OpenLDAP)

    6. Username LDAP attribute to email

    7. Further configurations you have to make to fit your LDAP configuration. Save and Synchronize all users.

  5. Create two LDAP Groups, one for Users and one for Admins

    1. Add the RED_MANAGER value as an additional LDAP attribute to the user group.

    2. Add the RED_ADMIN value as an additional LDAP attribute to the user group.

    3. We suggest that you fill in the description field.

  6. Additionally, a role-LDAP-mapper is needed

    1. Click on the Mappers tab.

    2. Click Create.

    3. The following attributes have to be set exactly as described below:

      1. Mapper Type to role-ldap-mapper

      2. Role Name LDAP Attribute to description

      3. Mode to READ_ONLY

      4. User Roles Retrieve Strategy to LOAD_ROLES_BY_MEMBER_ATTRIBUTE

      5. Use Realm Roles Mapping to ON

    4. Further configurations you have to make to fit your LDAP configuration.

    5. Save and Sync LDAP Roles To Keycloak.

      The LDAP setup is now complete.

In this section: