OpenID Connect (OIDC) integration with Keycloak (EKS and OCP without CPFS)
Connect your OpenID Connect (OIDC)-enabled Keycloak server to your Concert instance to enable secure user authentication and simplify user and access management.
Keycloak is an open-source identity and access management solution that provides various protocols for authentication and authorization, including OIDC. OIDC is a simple identity layer built on top of the OAuth 2.0 protocol, which allows clients to verify the identity of users based on the authentication performed by the Keycloak server. You can enable OIDC on your Keycloak server and configure your Concert instance to use OIDC as the authentication method to establish secure and seamless user authentication and management. Once implemented, you can manage Concert users and user groups in the Keycloak Management Console or using the Keycloak API.
Before you begin
- You must install Keycloak on your server. Refer to the Keycloak documentation for instructions.
- You must have a valid SSL certificate. During implementation, you will add the file to the relevant directory on your cluster to establish a secure connection between your Concert instance and the Keycloak server.
Step 1: Enable OIDC on Keycloak
Refer to the following steps to enable OIDC on your Keycloak server.
- Log in to the Keycloak admin console.
- Create a realm:
- Click Create realm to create new realm.
- Enter a name for your realm.
- Click Create.
- Select the new realm from the list.
- Create a client:
- Click Clients.
- Click Create client.
- In the General settings tab, enter the Client ID.
- Click Next.
- In the Capability config tab, enable the check box next to Standard flow, Direct access grants, Implicit flow, Service accounts roles options.
- Click Next.
- Next to Root URL, enter the unique URL for your Concert instance.
- Assign roles:
- Click Service accounts roles.
- Assign the real-management realm-admin and real-management manager-users roles from the list.
- Click Assign.
Step 2: Integrate OIDC with Concert
- To ensure SSL access for the Keycloak server, update the
app-cfg-internal-tls secret
, refer to Managing custom trusted certificates. -
Run
configure-keycloak
script.--namespace=<concert namespace> --oidc_host=<OIDC host> \\ --oidc_realm_name=<OIDC realm name> \\ --oidc_client_id=<OIDC client ID> \\ --oidc_client_secret=<OIDC Client secret> \\ --iam_openid_endpoint=<IAM Openid endpoint> \\ --oidc_users_endpoint=<OIDC users endpoint> \\ --oidc_groups_endpoint=<OIDC groups endpoint> \\ --oidc_client_id_url=<OIDC client ID URL>
Example:./configure-keycloak --namespace=<concert-ns> --oidc_host=https://mykeycloak.mydomain.com --oidc_realm_name=myrealm --oidc_client_id=myclient --oidc_client_secret=CtpZCvVssQB7if --iam_openid_endpoint=https://mykeycloak.mydomain.com/realms/myrealm/.well-known/openid-configuration --oidc_users_endpoint=https://mykeycloak.mydomain.com/admin/realms/myrealm/users --oidc_groups_endpoint=https://mykeycloak.mydoman.com/admin/realms/myrealm/groups --oidc_client_id_url=https://mykeycloak.mydomain.com/admin/realms/myrealm/clients?clientId=myclient
Next steps
Once the setup for OIDC integration with Concert is ready to use. Log in to the Concert console and verify that the expected roles and permissions exist.
To grant access to other Concert users to view or manage the environment or application. See Granting access to applications and environments for instructions.
Appendix: Disabling OIDC with Keycloak
- Remove OIDC auth from the config
map.
kubectl patch configmap app-cfg-cm -n <concert-ns> --type='merge' -p '"data": { "ROJA_AUTH": "native" }
- Restart the
ibm-rojacore
andibm-roja-ui service
using the following command:kubectl -n ${namespace} rollout restart deployment roja-ui rojacore kubectl -n ${namespace} rollout status deployment roja-ui rojacore --timeout=10m