bob-builds-labs

PPDM Integration with keycloak

prerequisite: start ppdm-1

keycloak startup on ansible host

We first refresh 0499 from github:

git -C ~/workspace/0499 pull

Now we start keycloak using podman

cd ~/workspace/0499/lab6/keycloak
podman-compose up -d

username: admin password: Password123!

Keycloak-Side Configuration

Step 1: Create a New Realm

  1. Log in to the Keycloak Admin Console: htttp://ansible.demo.local:8180/auth/admin, username: admin password: Password123!
  2. Click on “Manage realms” image
  3. Click on “Create realm”
  4. Enter a Name (e.g., ppdm-realm) → click Create image

Step 2: Configure the Realm Token Settings

  1. In your new realm, go to Realm SettingsTokens tab

  2. Check Default Signature Algorithm to RS256 image

  3. Click Save if required

Step 3: Create the OIDC Client for PPDM

  1. Navigate to Clients → click Create image

  2. On General Settings, Fill in:
    • Client ID: e.g., ppdm-client
    • Client Type: openid-connect
    • Name: Client for PPDM
  3. Click Next
  4. on Capability Config, select:
Field Value
Client authentication ON
Standard Flow Enabled ON
Standard Token Exchange ON
Service Accounts Enabled ON

image

  1. Click Next
  2. on Login Settings
Field Value
Root URL hhttps://ppdm-1.demo.local
Valid Redirect URIs will be filled when ppdm IDP is configured
Web Origins https://ppdm-1.demo.local

image

Click Save.

Step 5: Retrieve the Client Secret

  1. Go to the client’s Credentials tab
  2. Copy the Secret value — you will need this when registering OIDC on PPDM image

Step 6: Create Groups in Keycloak

  1. Navigate to Groups → click New
  2. Create groups that map to PPDM roles, for example:
    • ppdm-admin
    • ppdm-user
    • ppdm-restore
  3. Click Save for each group image

Step 7: Create Users and Assign to Groups

  1. Go to Users → click Create new User
  2. Fill in:

    • Username (this becomes preferred_username in the token): ppdm-admin

    • Email: admin@demo.local
    • First ppdm
    • Last admin
    • Set Email Verified → ON

  3. on Join Groups, select ppdm-admin image

  4. Click Create
  5. On the Credentials tab → set a password → toggle Temporary to OFF image

Step 8: Add Protocol Mappers to Emit Required Claims

On the client, go to the RClient scopes tab → click ppdm-client-dedicted image

Configure the following new Mappers

Mapper Type: Group Membership | Field | Value | |—|—| | Name | groups | | Token Claim Name | groups | | Full group path | OFF | | Add to ID token | ON | | Add to access token | ON | | Add to userinfo | ON | image Click Save

Mapper Type: User Property | Field | Value | |—|—| | Name | preferred_username | | Property | username | | Token Claim Name | preferred_username | | Claim JSON Type | String | | Add to ID token | ON | | Add to access token | ON | image

Click Save

Step 9: Verify the Well-Known OIDC Endpoint

Confirm Keycloak is publishing metadata correctly by browsing to:

http://ansible.demo.local:8180/realms/ppdm-realm/.well-known/openid-configuration

This URL is what you will supply as the Auto Config URI when registering the OIDC provider in PPDM.

PPDM-Side Configuration

Step 10: Register Keycloak as an SSO Identity Provider in the PPDM UI

  1. Log in to the PPDM UI as admin
  2. Navigate to AdministrationAccess Control
  3. Click the Single Sign On tab
  4. Click Add to create a new SSO provider

  5. Fill in the required fields:

    | Field | Value | |—|—| | Name | Keycloak | | Identity Provider | Okta | image

  6. click next
  7. Check I have configured …. image
  8. click next

| Field | Value | |—|—| | Client ID | ppdm-client | | Client Secret | <secret from Step 5> | | Meta Discovery URL | http://ansible.demo.local:8180/realms/ppdm-realm/.well-known/openid-configuration | image

  1. Click Next
  2. On claims enter: | Field | Value | |—|—| | preferred_username | user_name | | email | email | | groups | `groups | image
  3. click next –> apply
  4. copy the Redirect URL fromnext window: image
  5. And add to valid redirect URL´s in Keycloak: image

Step 11: Map Keycloak Groups to PPDM Roles in the PPDM UI

  1. In the PPDM UI, go to AdministrationAccess Control
  2. Click the Users/Groups
  3. Click Add User/Group to create a new group-to-role mapping

  4. Select AD/LDAP/SSO Groups /Keycloak /ppdm-admin image

  5. Administrator as PPDM role: image

  6. Click Next Next Finish
  7. logout and login via Login using Single Sign On image

image

Summary Checklist

# Task Done?
1 Create Keycloak realm
2 Set RS256 as default signing algorithm
3 Create confidential OIDC client
4 Set valid redirect URI to PPDM callback
5 Copy client secret
6 Create groups for PPDM roles
7 Create users, assign to groups
8 Add groups and preferred_username mappers
9 Verify well-known OIDC endpoint
10 Register Keycloak as OIDC provider in PPDM UI
11 Map Keycloak groups to PPDM roles in PPDM UI