-
Notifications
You must be signed in to change notification settings - Fork 244
Standalone Keycloak as Identity Provider
- Once archive is secured with Keycloak as explained
create Standalone Keycloak as Identity Provider in
dcm4che
realm.
-
Start the Standalone Keycloak System using docker
docker run --name keycloak -p 8880:8880 -p 8843:8843 -p 8990:8990 -e HTTP_PORT=8880 -e HTTPS_PORT=8843 -e MANAGEMENT_HTTP_PORT=8990 -e KEYCLOAK_ADMIN_USER=admin -e KEYCLOAK_ADMIN_PASSWORD=admin -d dcm4che/keycloak:22.0.4
-
Login to this Standalone Keycloak system. Replace
<ip>
with the hostname/ip where this Standalone Keycloak system is running.http://<ip>:8880/auth
-
This by default shows
dcm4che
realm because it is configured to be used with archive. But we will not use this realm, for better understanding. -
Add a new realm. We name it, for eg,
keycloakIdentityProvider
. This value will be needed in Steps 5 and 6 of Identity Provider Configuration -
In this realm, add a client, for eg,
keycloakAsIdentityProvider
andSave
. ThisClient ID
is needed in Step 7 of Identity Provider Configuration -
On the subsequent page that gets seen, select
Access Type
asconfidential
. The value forValid Redirect URIs
should be taken from Step 3 of Identity Provider Configuration andSave
. -
Go to
Credentials
tab and copy theClient Secret
. This will be needed in Step 7 of Identity Provider Configuration
- You may add user(s) in
keycloakIdentityProvider
realm, which will be used for login via this Standalone Keycloak system.
- Keycloak created a key-pair and automatically generated a self-signed certificate, when you created the realm in Step 4 of Standalone Keycloak Installation & Configuration
- To change the default key-pair and certificate to the ones required by your application, refer Adding an existing keypair and certificate
-
Login to your Keycloak and go to
dcm4che
realm.http://localhost:8080/auth
-
Go to the
Identity Providers
in yourdcm4che
realm andAdd Provider
. SelectKeycloak OpenID Connect
. -
The value in
Redirect URI
field should be used in Step 6 in Standalone Keycloak Installation & Configuration -
Add value in
Alias
field. This will be displayed on the Archive UI login page, which will indicate that user has an option to login via Standalone Keycloak System. See point 1 in Verification section. -
Add value in
Authorization URL
. Replace the value<ip>
in URL below with hostname/ip where the Standalone Keycloak System is running. If you used a different value for realm name in Step 4 of Standalone Keycloak Installation & Configuration, then replace thekeycloakIdentityProvider
value in the URL below with realm name you used.http://<ip>:8880/auth/realms/keycloakIdentityProvider/protocol/openid-connect/auth
-
Add value in
Token URL
. Replace the value<ip>
in URL below with hostname/ip where the Standalone Keycloak System is running. If you used a different value for realm name in Step 4 of Standalone Keycloak Installation & Configuration, then replace thekeycloakIdentityProvider
value in the URL below with realm name you used.http://<ip>:8880/auth/realms/keycloakIdentityProvider/protocol/openid-connect/token
-
Add the values for
Client ID
andClient Secret
fields from Steps 5 and 7 respectively of Standalone Keycloak Installation & Configuration. -
The remaining values are kept unchanged and set to default values.
Save
the Identity Provider Configuration.
- Once you have added Keycloak as Identity Provider in
dcm4che
realm in your Keycloak, you will need to createMapper(s)
to assign roles to the users, authenticating themselves via Standalone Keycloak system, to be able to access and/or have modification rights on the archive. Go to theMappers
tab and clickCreate
. - Select
Hardcoded Role
fromMapper Type
dropdown. - For the
Role
fieldSelect Role
asuser
. EnterName
for your mapper andSave
. - If you want users,authenticating themselves via Standalone Keycloak system, to also have admin rights then create a
second mapper and repeat steps 2 and 3, except
Select Role
asadmin
.
- Once the above configurations are done correctly, you will get an option to login via Standalone Keycloak System on
the archive's login page. The name displayed will be the
Alias
name you used in Step 4 of Identity Provider Configuration. Login with the user you created in User Configuration to see the archive UI page.
- Note that, if the user did not have the Email and First/Last name fields set in his/her profile in Standalone Keycloak
system, the
Update Profile
page is seen when he/she authenticates with the user/password. This page shows the fieldsUsername
,Email
,First Name
, andLast Name
. Once the fields are updated, user can proceed to see the archive UI page. - This is because by default when you created the Identity Provider, the
First Login Flow
is set asfirst broker login
. - If one wants to skip the
Update Profile
page shown to the user when he/she logs in, one may do so by going toAuthentication
indcm4che
realm. SelectFirst Broker Login
. TheReview Profile
isRequired
. Go toActions
, selectConfig
. Default value forUpdate Profile on First Login
ismissing
. Change it tooff
andSave
.
DCM4CHEE 5 Documentation