Configuring KeyCloak as Identity Provider for UIM, UTIA, and Message Bus (2024)

The following prerequisites are required for configuring KeyCloak:

• Install KeyCloak.
• Download all artifacts required to deploy all UIM, UTIA and Message Bus.

To create a new realm:

1. Provide a name for the realm. For example IdentityGuard.
2. Set Enabled.
3. Click Create.

   A new realm is created.

To download the Identity Provider metadata file:

1. Switch to the realm you created.
2. Go to Realm Settings.
3. Click SAML 2.0 Identity Provider Metadata.
4. Save the file at a desired location.

Follow the instructions mentioned in the “Configuring SSO using SAML 2.0 for UIM CN” section from UIM Cloud Native Deployment Guide.

Create a UIM cloud native instance as follows:

1. Build UIM CN images using the above downloaded IdP metadata file.
2. Create UIM CN instance. You can provide a SAML entityId of your choice and the same will be used by the KeyCloak SAML client. For example: samlUIM.
3. Publish UIM CN Metadata file as KeyCloak supports SAML client creation using Service Providers Metadata file.

For more information on creating a UIM cloud native instance, see UIM Cloud Native Deployment Guide.

To create a SAML client for UIM:

1. Log in to KeyCloak and switch to your realm.
2. Click on the Clients tab.
3. Choose the import client option and add UIMCNMetadata.xml (the SP metadata file) to resource file.
4. Client ID is automatically selected from SP metadata file. It is the same as provided in the project.yaml of UIM CNTK.
5. Turn off the Client Signature Required flag.
6. Click Save and verify the client configuration.
7. If SSL is enabled, add UIM certificates to JAVA_HOME of KeyCloak.

Creating a SAML Client Role

Adding Role Mapper in SAML Client Scope

To add users and map them to the SAML client role:

1. Log in to KeyCloak and switch to your realm.
2. Click on the Users tab.
3. Click Add User to create users in keycloak.
4. Add UIM Embedded LDAP and External LDAP users.
5. Map the users to the SAML client role as follows:
   1. Click on the user you created, under the Users tab.
   2. Click Role Mapping and then Assing Role.
   3. Switch to filter by clients and search for the uim-users role.
   4. Select the uim-users role and click Assign.

To create OAUTH client for UTIA and Message Bus:

1. Log in to KeyCloak and switch to your realm.
2. Click on the Clients tab.
3. Click Create Client.
4. Choose client type as OpenID Connect.
5. Provide client id of your choice. For example: topologyOauthClient.
6. Click Next.
7. Enable client Authentication and select Standard Flow, Direct access grants, and Service accounts roles.
8. Click Next.
9. Add the following Valid redirect URIs :
   • https://<unified-topology-hostname>:<loadbalancer-port>/topology
   • https://<unified-topology-hostname>:<loadbalancer-port>/redirect/unified-topology-ui
10. Add https://<topology-hostname>:<loadbalancer-port>/apps/unified-topology-ui as Valid post logout redirect URIs.
11. Click Save and verify the client configuration.

To configure the client scope and audience:

1. Log in to KeyCloak and switch to your realm.
2. Click Client Scopes.
3. Click Create Client Scope.
4. Provide the name as utiaScope.
5. Enter the protocol as OpenID Connect.
6. Enable the Include in token scope.
7. Click Save.
8. Go to Mappers and then configure a New Mapper.
9. Choose the Mapper type as Audience.
10. Provide a Name and Included Custom Audience as utiaAudience.
11. Enable Add to access token.
12. Click Save.

To add scope to the client:

1. Log in to KeyCloak and switch to your realm.
2. Click on the Clients tab.
3. Click on your OIDC client. For example: topologyOauthClient.
4. Click on the Client Scope tab.
5. Choose the above created Scope (utiaScope) by clicking Add Client Scope .
6. Click Save.

To get OpenID endpoint configurations:

1. Log in to KeyCloak and switch to your realm.
2. Click on the realm settings.
3. Click OpenID Endpoint Configuration.

   The OpenID endpoint configurations appear.

To configure Message Bus and UTIA with OAUTH client:

1. Create the oauthConfig secret.

   Note:

   See the Enabling Authentication for UTIA and Message Bus section from Unfied Inventory and Topology Deployment Guide, for more information.

2. Create aapUIUser secret and aapUser Secret for topology UI and API.

   Note:

   See the Creating Secrets for Authentication on Unified Topology UI and Creating Secrets for Authentication on Unified Topology API sections in Unified Inventory and Topology Deployment Guide for more information.

3. Add openid as an additional base scope in the topology-ui-user-credentials.yaml and topology-user-credentials.yaml files. For example, the base scope must be as follows:

   base-scope: “utiaScope openid” 

4. Use the client ID and client secret of topologyOauthClient for the above steps and for all endpoint URLs.

   Note:

   See Getting OpenID Endpoint Configurations for more information.

To integrate UIM with UTIA and Message bus:

1. See the Integrating UIM with UTIA and Message Bus section from Unified Inventory and Topology Deployment Guide and use the appropriate values configured through KeyCloak IDP.

   The sample properties for KeyCloak IdentiyGaurd Realm are as follows:

   Client Id : topologyOauthClientClient Secret: xxxxxxxxxxxxxxxClient scope: utiaScopeClient Audience: utiaAudience

   Note:

   These are OpenID connect values.

2. Use the endpoint URLs mentioned in your realm. See "Getting OpenID Endpoint Configurations" for more information.