Setting Up the HYPR Keycloak Authenticator

Enabling the HYPR Authenticator

Start by accessing the administrative console of your Keycloak deployment. The HYPR Authenticator for Keycloak will need to be enabled in every Keycloak Realm it is intended to be used with. In this document we will use the Example Realm in the screenshot examples.

From the administration console, select Authentication from the navigation tree.


From the Authentication settings, select the New option on the right.


This will initiate the process of creating a new authentication flow within Keycloak.

Add an Alias for this authentication flow. This is a value used to identify the new configuration and will be displayed as the option for the HYPR Authenticator in Keycloak Clients. In the example HYPRAuthenticator is used.

In the Top Level Flow Type leave it set as generic.



Make sure that the "Alias" field is set to "HYPR" (all upper case HYPR).

Select Save to continue.


Now that this authentication flow has been created select Add execution on the right.


From the Provider drop-down selection, choose HYPR Authenticator.

Select Save to continue.


Now that the HYPR Authenticator execution has been added, select the radio button for REQUIRED.

From the Actions drop down on the right select Config to continue.


This will provide you the configuration settings to point the HYPR Authenticator to your deployment of HYPR. Fill in these fields as described in the following table. When you are finished select Save to complete the configuration of the HYPR Authenticator.

AliasName of the Configuration.This value is an alias for reference within Keycloak. This can be set to any string value.
Cookie UsernameMax age in seconds of the username.3000
HYPR Relying Party App IDThe application ID of the application created within your HYPR Control Center.webApp
HYPR RP App Auth TokenThe access token from your HYPR Control Center for the Relying Party App above.this is a secret value
HYPR Relying Party URLThe base URL of your HYPR Server deployment.
HYPR License URLThis is the URL of the HYPR licensing service. If you are using the HYPR Application on the Application Store it must be set to:
HYPR License EnabledIf you are using the HYPR Application on the Application Store this must be marked ON.

This can be marked OFF if there was a custom SDK deployment.
Authenticator Logo URLThis is a URL to a PNG of your company's logo. This will further brand the experience for end users when performing authentication.


Important note!

Make sure that the "Alias" field is set to "HYPR" (all upper case HYPR).


Applying the HYPR Authenticator Flow to a Client

With the HYPR Authenticator configured, we are ready to apply this to our federated clients within Keycloak.

Start by selecting Clients in the left navigation tree.


This will display each client configured for this Keycloak realm. Select the client which needs to use HYPR for authentication.


Scroll to the bottom of the Client settings, and open the drop-down for Authentication Flow Overrides.

From the Browser Flow drop-down setting, select the alias for the HYPR Authenticator Flow previously created.

Select Save to apply these settings. This client will now use the HYPR Authenticator for authentication.