Keycloak Authentication

01 Dec 2023 - sj, tags: archiving, insights, news, product

Keycloak is an open source Identity and Access Management (IAM) solution supports single sign-on (SSO) and much more. In this article we’ll setup piler to authenticate against Keycloak using SSO.

Prerequisites

You have a working Keycloak deployment, and piler enterprise is also installed. in this example we’ll use https://keycloak.example.com and https://archive.example.com for Keycloak and piler URLs respectively.

Create a new realm

The realm name may be “piler” or similar

Create a new client for piler

Client type: OpenID Connect

Client ID: piler

Fill the Name and Description fields according to your needs

Then select the “Client authentication”

Make sure that at the Authentication flow “Standard flow” and “Direct access” are set

Fill the URI fields:

  • redirect URIs: https://archive.example.com/callback-keycloak
  • logout redirect URIs: https://archive.example.com/logout
  • Web origins: https://archive.example.com

Get the client secret

Click on the credentials tab, and copy the client secret value

Create realm roles

Piler is able to recognize the roles you may attach to the Keycloak users or groups.

Create the following roles for piler:

  • piler-admin
  • piler-auditor
  • piler-dataofficer
  • piler-user

By default all Keycloak users are regular users in piler. In the below example we create a Keycloak group, and assign the piler-admin realm role.

Create a new group, called piler-admin

Select the piler-admin role that you created before

Verify that the role has been assigned to group

Enable Keycloak SSO in piler config

The final step is enabling Keycloak SSO. Edit /etc/piler/config-site/php, and set the following:

$config['ENABLE_KEYCLOAK'] = 1;
$config['KEYCLOAK_SERVER'] = 'https://keycloak.example.com';
$config['KEYCLOAK_REALM'] = 'piler';
$config['KEYCLOAK_CLIENT_ID'] = 'piler';
$config['KEYCLOAK_CLIENT_SECRET'] = 'xxxxxxxxxxxxxxxxxxxxxxxx';

Login to the archive

Navigate to the archive, https://archive.example.com, click on the keycloak link under the login form.

You are redirected to the keycloak server, type your credentials.

When successful, you are redirected back to the archive.

Contact

Contact Us