IAM / KeyCloak integration

Since the IDP Kit is compliant with the well adopted OpenID Connect standard for identity provision, it can be easily integrated, as a federated identity provider, with third party Identity and Access Management systems (IAM), such as KeyCloak.

In this section I will demonstrate how to configure KeyCloak to use the IDP Kit as an external identity provider and thus enable authentication via SSI with just a few configuration changes.

Client registration

For simplicity I assume that all basic configuration aspects regarding OIDC Manager and SIOP Manager and general IDP Kit configuration have already been configured according to the requirements.

Next, we need to register the KeyCloak server with the IDP Kit as an OIDC client.

In this example I will use the command line interface to register a new client like so:

waltid-idpkit config --oidc clients register -r https://keycloak.walt-test.cloud/realms/master/broker/waltid-idpkit/endpoint

The command prints the client registration information, from which I need to copy the client_id and client_secret:

{
    [...]
    "redirect_uris":[
        "https:\/\/keycloak.walt-test.cloud\/realms\/master\/broker\/waltid-idpkit\/endpoint"
    ],
    "client_secret":"T38g9qLmw3PboO0zbesyDFNXATrC6R6u-cMQ62g-lWE",
    [...]
    "client_id":"4RxVuuOJOiunktpehKdrT28sA4vbLFQc40eY5DlC_SE"
}

Refer to the KeyCloak documentation, to find out the proper values for the redirection URIs in your setup.

To register the client at runtime, you can also make use of the dynamic client registration API.

KeyCloak configuration

Now we can configure KeyCloak to connect to the IDP Kit.

To do so, login to the KeyCloak administration console with your admin credentials and navigate to the realm, for which you want to apply the configuration.

External identity provider

  • Navigate to the Identity Providers section in the left menu bar, open the "Add provider..." drop-down menu and choose "OpenID Connect v1.0":

  • Fill in Alias and Display Name according to how you want the IDP Kit to be referred to in the Login UI:

  • Scroll down to Import External IDP Config and enter the URL of the well-known OIDC discovery document of the IDP Kit and click import. For our IDP Kit test deployment, the URL would be:

https://idp.walt-test.cloud/api/oidc/.well-known/openid-configuration

  • On import, the required endpoints are automatically filled in.

  • Next we need to provide the client authentication details.

    • Scroll to the Client Authentication input field and choose Client secret sent as basic auth.

    • Then fill in Client ID and Client Secret with the values obtained from the client registration.

  • In order to get properly mapped user data from the IDP Kit, we need to define the OIDC scopes to be used for the authorization request.

    • Choose: openid profile

  • Save the IDP configuration

  • Now continue with configuring your client application to connect to KeyCloak as authorization server, like usual.

Last updated