A Configuring KeyCloak as Identity Provider for UIM, ATA, and Message Bus
This chapter helps you with information on configuring KeyCloak as an Identity Provider for UIM, ATA, and Message Bus.
For more information on ATA and Message Bus, see "About Unified Inventory and Topology" in Unified Inventory and Topology Deployment Guide.
Prerequisites for Configuring KeyCloak
The following prerequisites are required for configuring KeyCloak:
- Install KeyCloak.
- Download all artifacts required to deploy all UIM, ATA and Message Bus.
Creating a New Realm
To create a new realm:
- Provide a name for the realm. For example IdentityGuard.
- Set Enabled.
- Click Create.
                        A new realm is created. 
Downloading the Identity Provider Metadata File
To download the Identity Provider metadata file:
- Switch to the realm you created.
- Go to Realm Settings.
- Click SAML 2.0 Identity Provider Metadata.
- Save the file at a desired location.
Creating a UIM Cloud Native Instance
Follow the instructions mentioned in the "Configuring SSO using SAML 2.0 for UIM CN" section from UIM Cloud Native Deployment Guide.
Create a UIM cloud native instance as follows:
- Build UIM CN images using the above downloaded IdP metadata file.
- Create UIM CN instance. You can provide a SAML entityId of your choice and the same will be used by the KeyCloak SAML client. For example: samlUIM.
- Publish UIM CN Metadata file as KeyCloak supports SAML client creation using Service Providers Metadata file.
For more information on creating a UIM cloud native instance, see "Overview of the UIM Cloud Native Deployment" in UIM Cloud Native Deployment Guide.
Creating a SAML Client for UIM
To create a SAML client for UIM:
- Log in to KeyCloak and switch to your realm.
- Click on the Clients tab.
- Choose the import client option and add UIMCNMetadata.xml (the SP metadata file) to resource file.
- Client ID is automatically selected from SP metadata file. It is the same as provided in the project.yaml of UIM CNTK.
- Turn off the Client Signature Required flag.
- Click Save and verify the client configuration.
- If SSL is enabled, add UIM certificates to JAVA_HOME of KeyCloak.
Creating a SAML Client Role
To create a SAML client role:
- Log into KeyCloak and switch to your realm.
- Click on the Clients tab.
- Click on the client you have created above.
- Click Roles.
- Create a role with the name uim-users.
Adding Role Mapper in SAML Client Scope
To add role mapper in SAML client scope:
- Log into KeyCloak and switch to your realm.
- Click on the Clients tab.
- Click on the client you have created above.
- Click Client Scopes.
- Under the Mappers tab, add the role list mapper by clicking Add Mapper under the clientId-dedicated scope.
- Provide Groups as Role attribute name.
- Enable Single Role Attribute.
- Under the Scope tab, enable Full scope allowed.
Configuring Session Timeouts
To configure the SSO session timeout:
- Log in to KeyCloak and switch to your realm.
- Click Realm Settings under Configure.
- Navigate to the Sessions tab and set SSO Session Idle to a value less than the WebLogic application timeout value. The default WebLogic application timeout is 30 minutes.
Adding Users and Mapping the Users to the SAML Client Role
To add users and map them to the SAML client role:
- Log in to KeyCloak and switch to your realm.
- Click on the Users tab.
- Click Add User to create users in keycloak.
- Add UIM Embedded LDAP and External LDAP users.
- Map the users to the SAML client role as follows:
                        - Click on the user you created, under the Users tab.
- Click Role Mapping and then Assing Role.
- Switch to filter by clients and search for the uim-users role.
- Select the uim-users role and click Assign.
 
Creating OAUTH Client for ATA and Message Bus
To create OAUTH client for ATA and Message Bus:
- Log in to KeyCloak and switch to your realm.
- Click on the Clients tab.
- Click Create Client.
- Choose client type as OpenID Connect.
- Provide client id of your choice. For example: topologyOauthClient.
- Click Next.
- Enable client Authentication and select Standard Flow, Direct access grants, and Service accounts roles.
- Click Next.
- Add the following Valid redirect URIs :
                        - https://<unified-topology-hostname>:<loadbalancer-port>/topology
- https://<unified-topology-hostname>:<loadbalancer-port>/redirect/ata-ui
- https://<instance>.<project>.uniauth.<hostSuffix>:<loadbalancer-port>/topology
 
- Add https://<topology-hostname>:<loadbalancer-port>/apps/ata-uias Valid post logout redirect URIs.
- Click Save and verify the client configuration.
Configuring the Client Scope and Audience
To configure the client scope and audience:
- Log in to KeyCloak and switch to your realm.
- Click Client Scopes.
- Click Create Client Scope.
- Provide the name as ataScope.
- Enter the protocol as OpenID Connect.
- Enable the Include in token scope.
- Click Save.
- Go to Mappers and then configure a New Mapper.
- Choose the Mapper type as Audience.
- Provide a Name and Included Custom Audience as ataAudience.
- Enable Add to access token.
- Click Save.
Adding Scope to the Client
To add scope to the client:
- Log in to KeyCloak and switch to your realm.
- Click on the Clients tab.
- Click on your OIDC client. For example: topologyOauthClient.
- Open the Client Scope tab.
- Modify AssignedType of microprofile-jwt from
                    OptionaltoDefault.
- Choose the above created Scope (ataScope) by clicking Add Client Scope .
- Click Save.
Creating Realm Roles and Assigning the Roles to the Authorized Users
You create realm roles and assign them to the users with Authorization enabled.
Creating Realm Roles
To create realm roles:
- Log in to KeyCloak and switch to your realm.
- Open the Realm Roles tab.
- Click Create Role.
- Provide the required role name. For information on the roles, see "About Authentication".
- Click Save.
- (Optional) Follow steps 3, 4 and 5 above to add another role.
Mapping Realm Roles to the Authorized Users
To map the created realm roles to the authorized users:
- Open the Users tab.
- Select the user that needs a corresponding role to be assigned.
- Click Role Mapping and then Assign Role.
- Search for and select the required role. For more information on the roles, see "About Authentication".
- Click Assign.
Getting OpenID Endpoint Configurations
To get OpenID endpoint configurations:
- Log in to KeyCloak and switch to your realm.
- Click on the realm settings.
- Click OpenID Endpoint Configuration.
                        The OpenID endpoint configurations appear. 
Configuring Message Bus and ATA with OAUTH Client
To configure Message Bus and ATA with OAUTH client:
- Create the oauthConfig secret.
                        Note: See "Enabling Authentication for ATA and Messaging Bus" from Unified Inventory and Topology Deployment Guide, for more information.
- Create aapUIUser secret and aapUser Secret for topology UI and
                    API.
                        Note: See "Create Secrets for ATA UI Authentication" and "Create Secrets for Authentication on Unified Topology API" in Unified Inventory and Topology Deployment Guide for more information.
- Add openid as an additional base scope in the
                    topology-ui-user-credentials.yaml and
                    topology-user-credentials.yaml files. For example, the base scope must be
                as follows:base-scope: “ataScope openid”
- Use the client ID and client secret of topologyOauthClient for the above
                steps and for all endpoint URLs. 
                        Note: See Getting OpenID Endpoint Configurations for more information.
Integrating UIM with ATA and Message bus
To integrate UIM with ATA and Message bus:
- See "Integrating UIM with ATA and Message
                    Bus" in Unified Inventory and Topology Deployment Guide and use
                the appropriate values configured through KeyCloak IDP.
                        The sample properties for KeyCloak IdentiyGaurd Realm are as follows: Client Id : topologyOauthClient Client Secret: xxxxxxxxxxxxxxx Client scope: ataScope Client Audience: ataAudienceNote: These are OpenID connect values.
- Use the endpoint URLs mentioned in your realm. See "Getting OpenID Endpoint Configurations" for more information.