Keycloak can used to broker authentication requests from client applications like VMware Telco Cloud Service Assurance to an Identity Provider like VMware Identity Manager. Using VMware Identity Manager as the common identity provider enables Single Sign-On capabilities for client applications like vRealize Operations Manager and VMware Telco Cloud Service Assurance.
Steps:
Step 1 : Configure keycloak As Identity Broker
- Login using keycloak admin console to keycloak UI at
https://<ingress-service:port>/auth/
.
- Click on "Identity Providers" link under the NGINX realm.
- Select "SAML V2" under the "Add Provider" selection box.
- Input the following fields
- Alias - A unique string
- Display Name - This String will be displayed as a button on the login Screen. Use a use friendly name, for example "Sign-in with SSO".
- Under "Import External IDP config" text area
- Import a downloaded file from vIDM here.
- Steps to download Identity Provider file
- Login to VMware Identity Manager as Admin user.
- Navigate to administrator console
- Navigate to Settings sub-menu under Catalog tab.
- Select SAML Metadata.
- Copy the contents in the link "Identity Provider (IdP) metadata into a local file. Save to a local file as Eg: "ldp.xml"
- Select the ldp.xml file and import
- Verify the IDP metadata is successfully loaded, a success message will be displayed.
- Save the configuration.**
Step 2: Configure VMware Identity Manager as Identity Provider
- Login to VMware Identity Manager as admin user.
- Navigate to administrator console.
- Select Catalog tab
- Under Catalog tab Create a New Web application.
- Provide the following fields to the New SaaS application wizard
- Name : A Unique Name
- Configuration:
- Auth Type : SAML 2.0
- Configuration: URL/XML
- Copy paste the SP metadata from keycloak into the URL/XML text area.
- Steps to get the SP metadata
- Login using keycloak admin credentials keycloak UI at https://<ingress-service:port>/auth/
- Under "Identity Providers" select the previously configured Identity provider (as Step 1 procedures above)
- Right click on the "Endpoints" Value files "SAML 2.0 Service Provider MEtadata" and copy contents to clipboard or file.
- Under Application Parameters click on Advanced and add Custom Attribute mapping.
- Name = groupName
- Value = ${groupNames}
- Complete the remaining wizard steps with defaults and click "save and assign"
- Here we provide the vIDM users who require to access VMware Telco Cloud Service Assurance.
- Add the required users and click save.
Step 3: Configure First Login Flow
- Login using keycloak admin credentials to keycloak UI at
https://<ingress-service:port>/auth/
- Click Authentication link under NGINX realm and select the flow tab.
- Under "flow" tab select "First Broker Login".
- Set "Review Profile" option to disabled.
Step 4: Creating Identity Provider Mapper in Keycloak
- Login using keycloak admin credentials to keycloak UI at
https://<ingress-service:port>/auth/
- Navigate to the provisioned Identity Provider instance (eg:"Sign-in with SSO") under the Identity providers link in NGINX realm.
- Click Edit option and select the Mappers tab.
- Click Create to provision a new mapper.
- Enter the following details...
- A unique name to the mapper
- Sync Mode Override: force
- Mapper Type:Attribute Importer
- Attribute Name : groupName
- User Attribute Name : vIDMgroups.
- Click save.
Step 5: Creating Protocol Mappers in Keycloak Clients
The following steps need to be done for all clients in keycloak such as operation-ui, nginx, grafana and kibana.
- Login using keycloak admin credentials to keycloak UI at
https://<ingress-service:port>/auth/
- Click Clients link on the navigation panel under NGINX realm.
- Edit the required client (eg: operation-ui)
- Click on the Mappers tab.
- Click Create button to add a new protocol mapper.
- Enter the following details
- Name : A unique name
- Mapper Type: User Attribute.
- User Attribute : vIDMgroups
- Token Claim Name : ldapgroups
- Claim type: String
- Add To ID token: ON
- Add to access token : ON
- Add to userInfo: ON
- Multivalued: ON
- Click save,
- Repeat step 3 and 6 for additional users, eg. operation-ui, nginx, grafana and kibana clients.