Keycloak¶

Open Source Identity and Access Management

Homepage: https://keycloak.org

Version: 18.0.0

Installation¶

Docker¶

docker-compose, example¶

to be run behind https-enabled reverse proxy (Traefik)

auth:
  image: quay.io/keycloak/keycloak:18.0.0
  command: start --auto-build
  environment:
    KC_DB: mssql
    KC_DB_URL_HOST: db
    KC_DB_URL_DATABASE: keycloak
    KC_DB_USERNAME: ${MSSQL_DB_USER}
    KC_DB_PASSWORD: ${MSSQL_DB_PASS}
    KC_TRANSACTION_XA_ENABLED: false
    KC_PROXY: passthrough
    KC_HTTP_ENABLED: "true"
    KC_HOSTNAME_STRICT: "false"
    KEYCLOAK_ADMIN: admin
    KEYCLOAK_ADMIN_PASSWORD: secret

Windows¶

Download Keycloak Server (Distribution powered by Quarkus) and unzip
configure database in conf/keycloak.conf
run bin/kc.bat start --auto-build
if run is successful then install as a service:

X:\GiS\Insight\Keycloak\bin\keycloak-service.bat install

Configure the newly created "Keycloak" service from manual to automatic
Start the service

Configuration / Realm¶

additional documentation https://www.keycloak.org/docs/latest/server_admin/

open Keycloak Admin Console
http://localhost:8080
create admin-user
add new realm
import insight-realm.json while creating a new realm
regenerate secret for insight-api client
Copy secret-value and set oidc.techuser.client_secret in insight.properties
fix URLs for clients: insight-app & insight-cockpit
replace external.hostname.tld with the external hostname of your Insight server
create a new (technical/system) user to be configured in the middleware
Switch "Temporary" to "off" otherwise passwort is only valid till next login and user is forced to change password
set values into oidc.techuser.username and oidc.techuser.password in insight.properties
ensure Add to userinfo is set to ON at ClientScopes/roles/Mappers/realm roles

Continue with OIDC-Integration