Setting Up the HYPR Keycloak Authenticator

Enabling the HYPR Authenticator

Start by accessing the administrative console of your Keycloak deployment. The HYPR Authenticator for Keycloak will need to be enabled in every Keycloak Realm it is intended to be used with. In this document we will use the Example Realm in the screenshot examples.

From the administration console, select Authentication from the navigation tree.

From the Authentication settings, select the New option on the right.

This will initiate the process of creating a new authentication flow within Keycloak.

Add an Alias for this authentication flow. This is a value used to identify the new configuration and will be displayed as the option for the HYPR Authenticator in Keycloak Clients. In the example HYPRAuthenticator is used.

In the Top Level Flow Type leave it set as generic.

❗️

Important

Make sure that the "Alias" field is set to "HYPR" (all upper case HYPR).

Select Save to continue.

Now that this authentication flow has been created select Add execution on the right.

From the Provider drop-down selection, choose HYPR Authenticator.

Select Save to continue.

Now that the HYPR Authenticator execution has been added, select the radio button for REQUIRED.

From the Actions drop down on the right select Config to continue.

This will provide you the configuration settings to point the HYPR Authenticator to your deployment of HYPR. Fill in these fields as described in the following table. When you are finished select Save to complete the configuration of the HYPR Authenticator.

Setting

Description

Example

Alias

Name of the Configuration.

This value is an alias for reference within Keycloak. This can be set to any string value.

Cookie Username

Max age in seconds of the username.

3000

HYPR Relying Party App ID

The application ID of the application created within your HYPR Control Center.

webApp

HYPR RP App Auth Token

The access token from your HYPR Control Center for the Relying Party App above.

this is a secret value

HYPR Relying Party URL

The base URL of your HYPR Server deployment.

https://example.gethypr.com

HYPR License URL

This is the URL of the HYPR licensing service. If you are using the HYPR Application on the Application Store it must be set to:
https://licensing.hypr.com

https://licensing.hypr.com

HYPR License Enabled

If you are using the HYPR Application on the Application Store this must be marked ON.

This can be marked OFF if there was a custom SDK deployment.

Authenticator Logo URL

This is a URL to a PNG of your company's logo. This will further brand the experience for end users when performing authentication.

❗️

Important note!

Make sure that the "Alias" field is set to "HYPR" (all upper case HYPR).

Applying the HYPR Authenticator Flow to a Client

With the HYPR Authenticator configured, we are ready to apply this to our federated clients within Keycloak.

Start by selecting Clients in the left navigation tree.

This will display each client configured for this Keycloak realm. Select the client which needs to use HYPR for authentication.

Scroll to the bottom of the Client settings, and open the drop-down for Authentication Flow Overrides.

From the Browser Flow drop-down setting, select the alias for the HYPR Authenticator Flow previously created.

Select Save to apply these settings. This client will now use the HYPR Authenticator for authentication.