To connect Keycloak as OpenID provider in DRACOON, the steps described in this article are necessary.
Topics in this article
Configuration in Keycloak Admin console
- Create a new client in your admin console:
- Configure the client based on the template. You will need to enter three reply URLs: your DRACOON instance, your instance followed by the path /oauth/openid-callback, and your instance followed by the path /oauth/perform_login
- In the tab Credentials you can find your Client Secret for your Client:
- You can print your OpenID Endpoint Configuration using the tab Realm Settings, which contains most of the settings needed to connect to DRACOON:
System settings in DRACOON
You need to have the DRACOON config manager role to view and edit the following settings.
- In the DRACOON Web App, click System settings and then Authentication.
- Select the checkbox Allow login with OpenID Connect.
- Click Add OpenID Provider.
- Enter your settings for the OpenID Provider Keycloak in DRACOON.
All the necessary values required in DRACOON are described below:
Value in DRACOON OpenID Endpoint Configuration Name Can be freely selected IssuerURL issuer Authorization Endpoint-URL authorization_endpoint Token Endpoint-URL token_endpoint UserInfo Endpoint-URL userinfo_endpoint JWKS Endpoint-URL jwks_uri Client-ID ID that you have assigned to your client Client-Secret Secret in the tabCredentials Scopes openid, email, profil Redirect-URIs Redirect URIs entered in Keycloak Proof Key for Code Exchange (PKCE): Activation recommended PKCE Challenge method S256 Mapping Claim email (recommended setting) Fallback User Mapping Claim sub
- As final step, save the settings using the Save button. OpenID can now be used as an authentication method in DRACOON.
Allow OpenID for users
In order to enable authentication for DRACOON users via OpenID, you need to allow this authentication method.
- In DRACOON Web App, click on Users & Groups and select the user that should be allowed to use OpenID as authentication method, then select Edit on the right.
- Click on the tab Authentication and activate the checkbox Alllow login with OpenID Connect.
- Please finalize the setting by entering the OpenID username and provider and then click on Save user.