Configure Keycloak for Open ID Connect with EcoSys - EcoSys - 3.1 - Installation & Upgrade - Hexagon

Configuring OAuth2 token providers for EcoSys and EcoSys Connect

Language
English
Product
EcoSys
Search by Category
Installation & Upgrade
EcoSys Version
3.1

This section will cover setting up Keycloak to use OpenID Connect authentication with EcoSys. After completing these steps, you will have the following values to use in your EcoSys environment.

Using these instructions, you can only get started with configuring Okta for Open ID, they do not provide express or implied guarantee for security.

  • Base URL

  • Client ID

  • Client Secret

Using these instructions, you can only get started with configuring Okta for Open ID, they do not provide express or implied guarantee for security. For further information on Keycloak configuration, see https://www.keycloak.org/ https://www.keycloak.org/

  1. Login to Keycloak with the username and password.

    By default, Keycloak comes with a master realm. You can use the existing master Realm or create a new one.

  2. Click Sign In.

  3. In the General tab, enter the name and Display name.

  4. Click the Login tab. Ensure that the realm being used has the Require SSL set to external requests.

  5. To create a new client, go to Configure > Clients and click Create.

    1. Enter the Client ID.

    This Client ID will be used later during the EcoSys setup.

    1. Set the Client Protocol to ‘openid-connect’

    2. Set the Root URL to your EcoSys URL

  6. Change Access type to Confidential.

  7. Go to Clients and under the Realm, define the URLs.

  8. Click Save.

  9. Click the Credentials tab. Enter the value from the Client Secret field.

    The Client Secret will be used later during the EcoSys setup.

  10. The BaseUrl is http://<keycloakServer>:<port>/auth/realms/<RealmName>

    • Any user in the OpenID provider must be created in EcoSys with Authentication Mode set to Custom

    • Ecosys considers "preferred_username" as login name that is received as claim from the token. If "preferred_username" is not available in the token, it considers "sub" received as claim in the token. Then it validates it as login name in its database (Generally it is UserName/Login ID from the provider). The claims that are sent to Ecosys can be configured in openId provider authorization server settings.