Skip to main content

AE initiated SSO with Keycloak using OpenID Connect

Keycloak Identity Provider supports OpenID Connect protocols.

In the topic, you will learn about the required parameters and some key configurations to set up AutomationEdge SSO with Keycloak.

Following are the required parameters for Keycloak IDP SSO configuration in AutomationEdge:

  • Identity Provider Issuer
  • Identity Provider Endpoints (Authorization, Token & End Session Endpoints)
  • Login redirect URIs
  • Client ID

To setup Keycloak IDP SSO configuration in AutomationEdge:

  1. Access the Keycloak portal. The Login page appears.

    Keycloak login

    Keycloak login page

  2. Enter the login credentials and click Log In. The landing page appears.

    Keycloak landing page

    Keycloak landing page

  3. In the left navigation pane, click Realm Settings -> Add realm. Enter the details and add a realm, if not added.

  4. In the left navigation pane:

    1. Click Clients -> Clients page -> click Create. The Add Client page appears.

      Keycloak Add Client page

      Keycloak Add Client page

    2. Enter the following field details:

      Field nameDescription
      Client ID*Enter a unique client ID. For example, Library.
      Client ProtocolSelect appropriate protocol and access type as public.
      Root URLSpecify a valid redirect URL. For example, https://Automationedge:{Port}/aeui.

      * indicates mandatory field.

    3. Click Save. The details are saved.

      In the Settings tab, you may keep the default values or change, as required.

    4. Click the Mappers tab. The details page appears.

      Keycloak Client Library

      Keycloak Client Mappers tab

    5. Click Create. The Create Protocol Mapper page appears.

    6. Enter the following details to create claims:

      Field nameDescription
      ProtocolDisplays the protocol you are using. For example, openid-connect.
      NameEnter a name of the claim. For example, uniqueId.
      Mapper TypeSelect the type of mapper from the list. For example, User Attribute.
      User AttributeEnter a name for the user attribute. For example, uniqueId.
      Token Claim NameEnter a token claim name. For example, uniqueId.

    7. Click Save. The mapper details are saved.

    8. Complete creating the following Mappers (Claims) for JWT (Access) token; to be used by Service Provider (in this case AutomationEdge).

      NameUser AttributeToken Claim Name
      uniqueIduniqueIduniqueId
      firstNamefirstNamefirstName
      lastNamelastNamelastName
      emailAddressemailAddressemailAddress
      UsernameUsernameUsername
      orgCodeorgCodeorgCode
    Note

    Create four mappers in the Client.

    Library page

  5. In the left navigation pane:

    1. Click Users -> Users page -> Lookup tab. The details page appears.

    2. Click Add user and enter the following details:

      • First Name
      • Last Name
      • Email
      Note

      To set user credentials, go to the Credentials tab and choose a password; we have used password for the rest of the article. Turn off the Temporary flag unless you want the user to change the password on the first login.

    3. Click Save. The user is created successfully.

      Users

      Keycloak Users list

    4. Click the Attributes tab. The details page appears.

      Attributes

      User Attributes tab

    5. Enter the following details:

      KeyValue
      uniqueId{username}
      firstName{first-name}
      lastName{last name}
      emailAddress{email}
      username{username}
      orgCode{AE tenant org code}
      Note

      It is mandatory to specify actual values for the first three attributes: uniqueId, firstName, and lastName.

  6. In the left navigation pane:

    i. Click Clients, and then click on the Library link. The Clients page appears.

    Client view

    Client view page

    ii. Fetch the Client ID and Valid Redirect URI and then go back to the Realm Settings menu.

    Keycloak General tab

    Keycloak General tab with Realm Settings

    iii. Fetch the Client ID and Valid Redirect URI and then go back to the Realm Settings menu. In the Endpoints field, click OpenID Connect Endpoint Configuration. You can fetch the authorization_endpoint key value and other Endpoints from the Endpoints JSON.

    JSON

    OpenID Connect Endpoints JSON

Note

On AutomationEdge UI, you can now complete configurations under Settings → Single Sign-On; by entering the values or importing the endpoints authorization file.

Create an SSO user in AutomationEdge UI. The username should be the same as the uniqueId of an IDP user.

Logon to AE through the SSO link and you’ll be redirected to sign in through the Keycloak login page.

The user logged in is the same as the uniqueId of the IDP (Keycloak) user.

Last updated on