Configuring KeyCloak as Identity Provider for UIM, ATA, and Message Bus

Prerequisites for Configuring KeyCloak

The following prerequisites are required for configuring KeyCloak:

Install KeyCloak.
Download all artifacts required to deploy all UIM, ATA and Message Bus.

Creating a New Realm

To create a new realm:

Provide a name for the realm. For example IdentityGuard.
Set Enabled.
Click Create.
A new realm is created.

Downloading the Identity Provider Metadata File

To download the Identity Provider metadata file:

Switch to the realm you created.
Go to Realm Settings.
Click SAML 2.0 Identity Provider Metadata.
Save the file at a desired location.

Creating a UIM Cloud Native Instance

Follow the instructions mentioned in the "Configuring SSO using SAML 2.0 for UIM CN" section from UIM Cloud Native Deployment Guide.

Create a UIM cloud native instance as follows:

Build UIM CN images using the above downloaded IdP metadata file.
Create UIM CN instance. You can provide a SAML entityId of your choice and the same will be used by the KeyCloak SAML client. For example: samlUIM.
Publish UIM CN Metadata file as KeyCloak supports SAML client creation using Service Providers Metadata file.

For more information on creating a UIM cloud native instance, see "Overview of the UIM Cloud Native Deployment" in UIM Cloud Native Deployment Guide.

Creating a SAML Client for UIM

To create a SAML client for UIM:

Log in to KeyCloak and switch to your realm.
Click on the Clients tab.
Choose the import client option and add UIMCNMetadata.xml (the SP metadata file) to resource file.
Client ID is automatically selected from SP metadata file. It is the same as provided in the project.yaml of UIM CNTK.
Turn off the Client Signature Required flag.
Click Save and verify the client configuration.
If SSL is enabled, add UIM certificates to JAVA_HOME of KeyCloak.

Creating a SAML Client Role

To create a SAML client role:

Log into KeyCloak and switch to your realm.
Click on the Clients tab.
Click on the client you have created above.
Click Roles.
Create a role with the name uim-users.

Adding Role Mapper in SAML Client Scope

To add role mapper in SAML client scope:

Log into KeyCloak and switch to your realm.
Click on the Clients tab.
Click on the client you have created above.
Click Client Scopes.
Under the Mappers tab, add the role list mapper by clicking Add Mapper under the clientId-dedicated scope.
Provide Groups as Role attribute name.
Enable Single Role Attribute.
Under the Scope tab, enable Full scope allowed.

Configuring Session Timeouts

To configure the SSO session timeout:

Log in to KeyCloak and switch to your realm.
Click Realm Settings under Configure.
Navigate to the Sessions tab and set SSO Session Idle to a value less than the WebLogic application timeout value. The default WebLogic application timeout is 30 minutes.

Adding Users and Mapping the Users to the SAML Client Role

To add users and map them to the SAML client role:

Log in to KeyCloak and switch to your realm.
Click on the Users tab.
Click Add User to create users in keycloak.
Add UIM Embedded LDAP and External LDAP users.
Map the users to the SAML client role as follows:
1. Click on the user you created, under the Users tab.
2. Click Role Mapping and then Assing Role.
3. Switch to filter by clients and search for the uim-users role.
4. Select the uim-users role and click Assign.

Creating OAUTH Client for ATA and Message Bus

To create OAUTH client for ATA and Message Bus:

Log in to KeyCloak and switch to your realm.
Click on the Clients tab.
Click Create Client.
Choose client type as OpenID Connect.
Provide client id of your choice. For example: topologyOauthClient.
Click Next.
Enable client Authentication and select Standard Flow, Direct access grants, and Service accounts roles.
Click Next.
Add the following Valid redirect URIs :
- https://<unified-topology-hostname>:<loadbalancer-port>/topology
- https://<unified-topology-hostname>:<loadbalancer-port>/redirect/ata-ui
- https://<instance>.<project>.uniauth.<hostSuffix>:<loadbalancer-port>/topology
Add https://<topology-hostname>:<loadbalancer-port>/apps/ata-ui as Valid post logout redirect URIs.
Click Save and verify the client configuration.

Configuring the Client Scope and Audience

To configure the client scope and audience:

Log in to KeyCloak and switch to your realm.
Click Client Scopes.
Click Create Client Scope.
Provide the name as ataScope.
Enter the protocol as OpenID Connect.
Enable the Include in token scope.
Click Save.
Go to Mappers and then configure a New Mapper.
Choose the Mapper type as Audience.
Provide a Name and Included Custom Audience as ataAudience.
Enable Add to access token.
Click Save.

Adding Scope to the Client

To add scope to the client:

Log in to KeyCloak and switch to your realm.
Click on the Clients tab.
Click on your OIDC client. For example: topologyOauthClient.
Open the Client Scope tab.
Modify AssignedType of microprofile-jwt from Optional to Default.
Choose the above created Scope (ataScope) by clicking Add Client Scope .
Click Save.

Creating Realm Roles and Assigning the Roles to the Authorized Users

You create realm roles and assign them to the users with Authorization enabled.

Creating Realm Roles

To create realm roles:

Log in to KeyCloak and switch to your realm.
Open the Realm Roles tab.
Click Create Role.
Provide the required role name. For information on the roles, see "About Authentication".
Click Save.
(Optional) Follow steps 3, 4 and 5 above to add another role.

Mapping Realm Roles to the Authorized Users

To map the created realm roles to the authorized users:

Open the Users tab.
Select the user that needs a corresponding role to be assigned.
Click Role Mapping and then Assign Role.
Search for and select the required role. For more information on the roles, see "About Authentication".
Click Assign.

Getting OpenID Endpoint Configurations

To get OpenID endpoint configurations:

Log in to KeyCloak and switch to your realm.
Click on the realm settings.
Click OpenID Endpoint Configuration.
The OpenID endpoint configurations appear.

Configuring Message Bus and ATA with OAUTH Client

To configure Message Bus and ATA with OAUTH client:

Create the oauthConfig secret.

Note:
See "Enabling Authentication for ATA and Messaging Bus" from Unified Inventory and Topology Deployment Guide, for more information.
Create aapUIUser secret and aapUser Secret for topology UI and API.

Note:
See "Create Secrets for ATA UI Authentication" and "Create Secrets for Authentication on Unified Topology API" in Unified Inventory and Topology Deployment Guide for more information.
Add openid as an additional base scope in the topology-ui-user-credentials.yaml and topology-user-credentials.yaml files. For example, the base scope must be as follows:
```
base-scope: “ataScope openid” 
```
Use the client ID and client secret of topologyOauthClient for the above steps and for all endpoint URLs.

Note:
See Getting OpenID Endpoint Configurations for more information.

Integrating UIM with ATA and Message bus

To integrate UIM with ATA and Message bus:

See "Integrating UIM with ATA and Message Bus" in Unified Inventory and Topology Deployment Guide and use the appropriate values configured through KeyCloak IDP.
The sample properties for KeyCloak IdentiyGaurd Realm are as follows:
```
Client Id : topologyOauthClient
Client Secret: xxxxxxxxxxxxxxx
Client scope: ataScope
Client Audience: ataAudience
```
Note:
These are OpenID connect values.
Use the endpoint URLs mentioned in your realm. See "Getting OpenID Endpoint Configurations" for more information.

A Configuring KeyCloak as Identity Provider for UIM, ATA, and Message Bus