Configure an External IAM with Keycloak* Solution (Optional)#

Intel recommends to follow the official Keycloak guide to Configuring Identity Providers for your specific identity provider. Below you will find a step by step example and summary for Azure in particular. Keycloak Microsoft Guide .

Note

This setup is optional and not required for use with Keycloak solution.

Keycloak solution supports using login identities from an external IAM. The examples used in this section reference Azure* AD, but other IAM providers, such as AWS, are supported. Refer to the IAM documentation for details on configuration steps.

Once you have completed these steps, see Configure External IAM Security Groups (Optional) to manage group memberships.

Prerequisites#

  • Basic administrative knowledge of the IAM and your credentials.

  • Tenant endpoint information for the IAM, and any redirect URLs.

Connect an External IAM to Edge Orchestrator#

Complete these three steps to use an external IAM.

  1. Connect the external IAM to Keycloak solution.

  2. Connect Edge Orchestrator Keycloak to the external IAM.

  3. Configure the security groups in the external IAM.

    • Make any necessary changes to the application manifest.

  4. Configure security groups for Edge Orchestrator.

Connect Azure AD to Keycloak Solution#

  1. Log in to the Azure AD portal.

  2. In the search bar, type “App registration” or select the App registrations icon from the home page.

At this point you can select an existing App registration (recommended) to be used or create a new one:

  1. Select New registration.

  2. Enter a name for the application. For example, Edge Orchestrator.

  3. Select the appropriate radio button to connect the IAM. For example, to allow only accounts from this directory, choose Accounts in this organizational directory only.

  4. Click Register to complete the registration.

Connect Keycloak IdP to Azure AD#

  1. Navigate to the Keycloak solution login page. For example, https://keycloak.CLUSTER_FQDN.

  2. Select Administration Console.

  3. Choose Identity Providers in the bottom left.

  4. Ignore any already existing Identity Providers if Disabled.

  5. Select Add Provider and choose OpenID Connect v1.0.

  6. Enter an internal alias for the connection.

  7. Enter a display name for the connection. This is the name users will see when they log in.

  8. Toggle Use discovery endpoint on.

  9. Enter the Azure AD discovery endpoint for the tenant. Keycloak solution queries the endpoint to make the OIDC connection and populates the URLs.

Configure Azure AD Registration#

When the IAM and Keycloak solution are connected, verify that your application manifest is correct for your settings.

Configure the Settings in the Application Manifest#

Note

We recommend having both the IAM and Keycloak pages open to copy values between them. The instructions below reference switching between the pages.

  1. Navigate to the Azure AD home page and select App registrations.

  2. Open the app registration created previously.

  3. In another browser tab or window, navigate to the Keycloak page.

  4. Select Identity providers from the left navigation bar and open the identity connection created previously.

You can now copy and paste between the Azure AD and Keycloak solution for the next steps.

  1. In Azure AD, copy the Application (client) ID value and paste into the Client ID entry in Keycloak solution.

  2. Switch to Azure AD and select Certificates & secrets from the left navigation bar.

  3. In the Client secrets tab, click New client secret. Add a secret description and change the expiration if needed.

  4. Click Add.

  5. Copy the secret value from Azure AD and paste it into the Client Secret entry in Keycloak solution.

  6. In Keycloak solution, copy the Redirect URI value, and paste it into the Redirect URI entry in Azure AD.

  7. In Azure AD, click Configure.

  8. Switch to Keycloak solution and click Add to complete the registration.

Verify the app registration manifest#

When the app registration is complete, verify the manifest has the correct values.

  1. Navigate to the Azure AD portal.

  2. Under App Registrations select the application you used to connect to the Edge Orchestrator’s Keycloak solution.

  3. Select Manifest from the left navigation bar to view the application manifest.

  4. Change the lines in the manifest, if necessary, to match the following:

    • "groupMembershipClaims": ApplicationGroup,

    • “optionalClaims”: groups

    • "replyUrlsWithType": [Keycloak Redirect URI]

    The ApplicationGroup value indicates that the token provided by Azure AD to Keycloak* solution only contains the security groups associated with the enterprise application.

    The optionalClaims value adds a group claim to provide membership data from Azure AD to Keycloak solution, and shares user group information.

    The replyUrlsWithType value must include the Keycloak Redirect URI for any Keycloak IdP that connects to this registered application. Azure AD generates this URL when the Keycloak IdP connection is complete.

Verify the SSO Configuration#

To verify a successful SSO configuration do the following: #. Logout from Keycloak. #. Close and re-open your browser app or use an incognito window re-open. #. Navigate again to the Edge Orchestrator’s login page. #. Verify SSO login option is enabled. #. Login with your SSO account.

If the steps are correct, you can now sign in using Azure based SSO or a local account.