Users can integrate VMware Telco Cloud Service Assurance Keycloak with an external Identity Provider (IDP) for customer identification (customerId) using the OpenID Connect protocol (OAuth2). Follow the procedure detailed on this KB article to integrate Keycloak with an external Identity Provider using the OpenID Connect protocol.

VMware Telco Cloud Service Assurance 2.3.1

Prerequisites:

•    Access to the Identity Provider: Obtain necessary access credentials and configuration details for the external Identity Provider.
•    Administrative Access: You need administrative access to both the VMware Telco Cloud Service Assurance Keycloak and the external Identity Provider.

Provisioning Authorization Permission to external IdP users in VMware Telco Cloud Service Assurance

Steps for establishing SSL between an external IdP and VMware Telco Cloud Service Assurance Keycloak detailed as follows:
Prerequisite:
•    For SSL work, external IDP must be reachable by using FQDN.
•    Ensure that you have Truststore JKS file.
•    Generate the Truststore cert file through the IdP certificate:
keytool -import -keystore (path to truststore certificate)/truststore.jks -file (path to credentials)/IdP_<IP>.crt -storepass <TRUSTSTORE_PASSWORD> -storetype JKS

Example:
keytool -import -keystore /home/tco/truststore.jks -file /home/tco/idp- 10.198.94.233.crt -storepass password -storetype JKS
(Trust this certificate? [no]: yes Certificate was added to keystore)

•  If the certificates are in pem format, convert into pkcs12 cert format:

Example:
openssl pkcs12 -export -in server.crt.pem -inkey server.key.pem -out server.p12 -name certificate

•    Convert pkcs12 to jks format: 

Example:
keytool -importkeystore -destkeystore truststore.jks -srckeystore server.p12 -srcstoretype PKCS12 -alias certificate

To import the certificate
1.    You need to create the secret from the truststore certificate file.
>  kubectl create secret generic keycloak-ssl-secret --from-file=truststore.jks
2.    Restart the keycloak
> kubectl get pods | awk '/keycloak/{print $1}' | xargs  kubectl delete pod

To update the certificate
1.    Use new truststore file. It replaces the existing truststore certificate file.
> kubectl create secret generic keycloak-ssl-secret --from-file=truststore.jks -- dry-run=client -o yaml | kubectl apply -f -
2.    Restart the Keycloak
> kubectl get pods | awk '/keycloak/{print $1}' | xargs  kubectl delete pod

To delete the certificate
1.    Delete the secret keycloak-ssl-secret
>    kubectl delete secret keycloak-ssl-secret
2.    Restart the keycloak
> kubectl get pods | awk '/keycloak/{print $1}' | xargs  kubectl delete pod

Steps for Integration:

Keep the following details provided by the external IdP for the integration:

•    Client ID
•    Client Secret
•    Authorization Endpoint URL
•    Token Endpoint URL
•    User Info Endpoint URL
•    Logout Endpoint URL
•    Issuer

Add and configure Identity Provider in Keycloak

•    Log in to the VMware Telco Cloud Service Assurance's Keycloak Console https://<tcsa host:port>/auth.
•    Navigate to the NGINX realm in which you want to configure the external IdP.
•    Go to the "Identity Providers" section and click on "Add provider."
•    Select "OpenID Connect" from the list of providers.
•    Provide the following details:
           o    Alias: A unique identifier for the Identity Provider.
           o    Display name: This string will be displayed as a button on the login Screen. Use a friendly name such “Sign-in with IdP”.
           o    Authorization URL: The authorization endpoint URL provided by the IdP.
           o    Token URL: The token endpoint URL provided by the IdP.
           o    User Info URL: The user info endpoint URL provided by the IdP.
           o    Client Authentication: The client authentication method by the IdP.
           o    Client ID: The client ID provided by the IdP.
           o    Client Secret: The client secret provided by the IdP.
           o    Logout URL: The logout endpoint URL provided by the IdP (optional).
           o    Validate Signature: Specify whether to validate the signature of the IdP's responses. 


           o    Save the configuration.
        
Once the configuration is saved, proceed to create an IdP mapper. This mapper is required for mapping the IdP customerId/group information into the user attribute.

•    Synchronization mode: "Force"
•    Mapper type: "Attribute importer"
•    Claim: < the claim which comes in the token > eg: "customerId" (This claim contain the group/customerId information from the IdP)
•    User attribute name: "memberOf" (the memberOf attribute populates with the user and group information)



Provisioning permissions through VMware Telco Cloud Service Assurance Roles

•    Login to VMware Telco Cloud Service Assurance UI as admin user at https://<tcsa host:port>.
•    Click on Administration tab.
•    Click Roles.
•    For the required group or customer in external IdP create an appropriate Role.
•    In the Create Role provide the Role details and Policy assignments as required.
•    For the Group Name option provide the exact group or customer name as in IdP.
•    Click Save.



Login to VMware Telco Cloud Service Assurance UI using the SIGN-IN WITH IDP

You may be redirected to the external Identity Provider's login page for authentication. Login with IdP user. After successful authentication, It would be redirected back to our VMware Telco Cloud Service Assurance application logged in through Keycloak.

Note: Any local user with the same name will get overwritten hence use a different username.



Logged in with user1:



Example IDP data (Ref.) 

Note: Not a part of VMware Telco Cloud Service Assurance

Reference external IdP have user1 exists which belongs to customer1 group which can be identified via user attribute customerId.