Deploying Keycloak IdP and FusionAuth (OIDC)

IdP and SP Management

This guide will show how to configure Keycloak as an Identity Provider (IdP) with FusionAuth.

Ensure you have administrative access to both your Keycloak and Okta environments. The following high-level milestones will be reached through the course of our deployment.

  1. Configure the FusionAuth client (service provider) within Keycloak.

  2. Configure Keycloak as an Identity Provider within FusionAuth.

Create an OIDC Client in the Keycloak Console

  1. Access the administrative console for your Keycloak environment. It is important to note that within your Keycloak deployment there are Realms. Each Realm will have a unique Federation / OIDC configuration.

  2. Select the Realm of your choice for this integration.

  3. Make a note of the Realm Name setting; in the example it is kevtur. This is a case-sensitive value.

  4. click Clients on the left navigation bar.

1184 1183
  1. Type the name you want for the Client ID, making sure the openid-connect option is selected. Click Save.
  1. Set the Access Type to Confidential.

  2. Scroll down a little and insert the value of the Valid Redirect URI’s to *.

  1. Scroll down a little further and click Save.

  2. Once saved, scroll back to the top of the page and select the Installation tab.

  1. Choose the Format Option of Keycloak OIDC JSON.
  1. The following displays. Save the contents in a text file; the values for auth-server-url, resource, and secret will be used with the FusionAuth configuration.
  1. Under Authentication Flow Overrides select HYPR for both the Browser Flow and Direct Grant Flow options:

Login to the FusionAuth Server to Create the Keycloak IDP Data

  1. Open the FusionAuth Management Console.
  2. Select Settings -> Identity Providers.
  1. In the upper right, click the + sign.
  1. From the popup window select the OpenID Connect option.
  1. Fill in the values from step 10, above, for the Name (resource), Client ID (resource), Client Secret (secret), and the Issuer (auth-connect-url) and change the Button Text to something that you would like to see on the login screen when accessing FusionAuth.
  1. Scroll to the bottom of the form and complete the following:
  • Set the Scope to email openid profile as three words separated by spaces
  • Toggle the “FusionAuth” app to on
  • Click Save in the upper right
  1. Now when you try to login to the FusionAuth Administration Console, you will see the following login screen:
  1. Select OpenID Connect (With HYPR) and you will be sent to the following login page. Type your email address or userID and select Continue.