Keycloak¶

Open Source Identity and Access Management

Homepage: https://keycloak.org

Version: 18.0.0

Installation¶

Docker¶

docker-compose, example¶

to be run behind https-enabled reverse proxy (Traefik)

auth:
  image: quay.io/keycloak/keycloak:18.0.0
  command: start --auto-build
  environment:
    KC_DB: mssql
    KC_DB_URL_HOST: db
    KC_DB_URL_DATABASE: keycloak
    KC_DB_USERNAME: ${MSSQL_DB_USER}
    KC_DB_PASSWORD: ${MSSQL_DB_PASS}
    KC_TRANSACTION_XA_ENABLED: false
    KC_PROXY: passthrough
    KC_HTTP_ENABLED: "true"
    KC_HOSTNAME_STRICT: "false"
    KEYCLOAK_ADMIN: admin
    KEYCLOAK_ADMIN_PASSWORD: secret

Windows¶

Download Keycloak Server (Distribution powered by Quarkus) and unzip
configure database in conf/keycloak.conf
run bin/kc.bat start --auto-build
if run is successful then install as a service:

X:\GiS\Insight\Keycloak\bin\keycloak-service.bat install
Configure the newly created "Keycloak" service from manual to automatic
Start the service

Configuration / Realm¶

additional documentation https://www.keycloak.org/docs/latest/server_admin/

open Keycloak Admin Console
- http://localhost:8080
create admin-user
add new realm
import insight-realm.json while creating a new realm
regenerate secret for insight-api client
- Copy secret-value and set oidc.techuser.client_secret in insight.properties
fix URLs for clients: insight-app & insight-cockpit
- replace external.hostname.tld with the external hostname of your Insight server
create a new (technical/system) user to be configured in the middleware
- Switch "Temporary" to "off" otherwise passwort is only valid till next login and user is forced to change password
- set values into oidc.techuser.username and oidc.techuser.password in insight.properties
ensure Add to userinfo is set to ON at ClientScopes/roles/Mappers/realm roles

Continue with OIDC-Integration