Deploying Keycloak IdP and FusionAuth (OIDC)
Introduction
This guide shows how to configure Keycloak as an Identity Provider (IdP) with FusionAuth.
To begin, please ensure you have administrative access to both your Keycloak and FusionAuth environments. The following high-level milestones will be reached through the course of our deployment.
Overall Objectives:
-
Configure the FusionAuth Client (SP) within Keycloak
-
Configure Keycloak as an Identity Provider (Id) within FusionAuth
Create an OIDC Client in the Keycloak Console:
Start by accessing the administrative console for your Keycloak environment. It is important to note that within your Keycloak deployment there are ârealmsâ. Each realm will have a unique Federation / OIDC configuration. Select the realm of your choice for this integration.
- Once you have accessed the Keycloak Realm of your choice, you will need to do two things. First take note of the realm name as listed in the Name setting, in the example it is kevtur. This is a case-sensitive value.
Second, click on the Clients section of the navigation bar.
It is critical you keep in mind that the Realm Name is case-sensitive and must be taken from the Name setting as shown in the screenshot above. This value will be used in multiple URLs and is case-sensitive in these URLs too.
- Type in the name of the Client ID that you want, make sure the openid-connect option is selected, and then click Save.
-
Set the âAccess Typeâ to âConfidentialâ
-
Scroll down a bit and insert the value of the âValid Redirect URIâsâ to â*â
-
Scroll down a bit further and click âSaveâ
-
Once saved, scroll back to the top of the page and select âInstallationâ
- Once selected, then choose the option of âKeycloak OIDC JSONâ
- The following will get displayed and used later with the FusionAuth Config
- Finally, before you leave the âclientâ definition page, make sure you enable the âHYPRâ Authentication options:
Now Log into your FusionAuth Server to create the Keycloak IdP data:
- Start from the FusionAuth Management Console select âSettingsâ then âIdentity Providersâ.
- From the top right click the â+â sign
- From the popup window select the âOpenID Connectâ option.
- Fill in the values for the âNameâ, âClient IDâ, âClient Secretâ from step 8, the âIssuerâ.Change the âButton Textâ to something that you would like to see on the login screen when accessing FusionAuth:
- Then scroll down to the bottom of the form and add 1) âemail openid profileâ as three words separated by spaces, 2) toggle the âFusionAuthâ app to on and 3) click âSaveâ.
- Now when you try to log into, say, your FusionAuth Administration Console, you will see the following login screen
- Select the âOpenID Connect (With HYPR)â and you will then get sent on to the following login page. Type in your email address or userID and select âContinueâ
Updated 5 months ago