Connecting to an OpenID Connect provider

You can connect Keycloak to an OpenID Connect (OIDC) provider. For more information, see OpenID Connect v1.0 identity providers in the Red Hat documentation.

Adding users

Connect to an OIDC identity provider by adding an identity provider to the Keycloak realm.

  1. Log in to the Platform UI as a user with realm management permissions. For more information, see Cloud Pak roles and permissions.

  2. Click the Navigation Menu icon next to IBM Cloud Pak for Integration in the banner, then click Administration > Access control. The Keycloak access control console opens.

  3. In the navigation pane, click Identity providers.

  4. Select OIDC, or if you have already created a provider, select the provider you want to edit.

  5. Configure your Identity Provider by entering the Redirect URI that is provided by Keycloak.

  6. Enter your OIDC settings. You can use a discovery endpoint, or turn off the Use discovery endpoint setting to configure the OIDC provider manually.

    Important: If you are using API Connect cluster instances and are upgrading to Cloud Pak for Integration 16.1.1, the usernames from the identity provider that was used with the previous indentity and access system must be entered correctly when configuring Keycloak. Ensure that the preferred_username claim from your identity provider matches the usernames that are stored in the IBM API Connect access management system.

  7. Enter the Client ID and Client Secret from your identity provider.

  8. Click Save.

Users are added to the Keycloak database when they first log in to Cloud Pak for Integration.

Mapping to groups and roles

You can add identity provider users to Keycloak groups based on attributes provided by the identity provider. For information about Keycloak groups see Managing users in Keycloak.

  1. Log in to the Platform UI as a user with realm management permissions. For more information, see Cloud Pak roles and permissions.

  2. Click the Navigation Menu icon next to IBM Cloud Pak for Integration in the banner, then click Administration > Access control. The Keycloak access control console opens.

  3. In the navigation pane, click Identity providers.

  4. Select the provider that you want to edit.

  5. Click the Mappers tab.

  6. Click Add Mapper

    1. Enter a name (for example, groups).

    2. Select the Advanced Claim to Group type.

    3. Enter the claim used to identify that the user should be a member of the group.

    4. Select the group to which the user should be added.

  7. Click Save.