Setup Keycloak for connector application

Your tenant needs to be allowed to connect to different connectors. To perform that, below things are needed:

  • Step 1: Setting up master realm to enable permission

  • Step 2: Configuring service account in tenant realm for which you wish to onboard your connector to.

  • Step 3: Generate access token (via an API platform like Postman)

Step 1: Setting up master realm to enable permission

This part of setup is for System administrators that has access to the Master realm. If you wish to install for Cloud, reach out to the IDHub service team to configure your tenant for successful onboarding of a connector

The changes in the Identity Providers will be explained in this section

  • Login to <http://yourdomain.com/auth>  to access the Keycloak UI 

  • Click on the Identity Providers section from the menu

  • Click on the client realm "Edit" button

  • Go to "Permission" section

  • Enable 

  • Now click on "Edit" button

Attach the connector policy by searching the name as connector-policy which is already created. See images below for your reference.

Step 2: Configuring service account in tenant realm

This setup needs to be done by the tenant itself on their own realm. To go to own realm, login to your tenant Admin module and navigate to keycloak via Admin Settings option from Left Menu.

To make these changes:

  • Select the client realm from the top left drop down 

  • Now click on Clients menu

  • Create a new client

  • Add client named "<Type>-connector" (in our case we named it as Ldap-connector, can be Db-connector or File-connector as well), which will be communicating to the IDHub connector client 
    Below will be settings for the created "<Type>-connector"  

See below images for reference.

Also we need to create a user through which the communication would take place, preferably service account/user. Only one account can be used to connect to all connectors of the tenant

Final part of this step is to set a permanent password for the user which will be required in the next steps which can be done from Credentials tab (See image above)

Step 3: Generate access token

Access token can be generated using Post API call, using any software for example postman etc.

Below are the details which needs to be present

Method - POST

Url: https://<Domain name>/auth/realms/<Tenant-name>/protocol/openid-connect/token 

Body:

It needs to have:

  • Client ID

  • Username

  • Password

  • Scope

  • Grant Type

  • Requested Token Type

See image below for correct style of writing and sample values.

This ends the step of generating access token which will be used to place in the application.yaml file as downloaded from Connector file in the Website

The images shown in this document is for LDAP, however the steps would be same for other connector files as well