Keycloak

Use Keycloak as your Identity Provider.

Configure Keycloak as your identity provider for user authentication. Atolio signs users in using the OpenID Connect authorization code flow against a client you create in your Keycloak realm.

Create OIDC Client

Note: The instructions in this section are only needed when Keycloak is used for authentication of the Atolio web application.

  1. Sign in to the Keycloak admin console and select the realm your users authenticate against from the realm selector in the top-left.
  2. Navigate to “Clients” and click “Create client”.
  3. Leave “Client type” set to “OpenID Connect”, enter a “Client ID” (e.g. atolio), and click “Next”.
  4. Turn on “Client authentication” so the client is confidential and issues a client secret. Leave “Standard flow” enabled under “Authentication flow”; the other flows are not required. Click “Next”.
  5. Under “Valid redirect URIs”, add https://search.example.com/auth/_callback (replace search.example.com with your actual Atolio deployment URL; contact your Atolio onboarding support team if you need clarification on the correct URL).
  6. (Optional) Set “Valid post logout redirect URIs” and “Web origins” to https://search.example.com to scope sign-out and CORS to your deployment.
  7. Click “Save”.
  8. Open the “Credentials” tab and copy the “Client secret”. Save it for later.

The profile and email scopes are part of Keycloak’s default client scopes, so the realm already returns the claims Atolio needs. No custom scope or mapper configuration is required.

Provide Configuration

Provide the following values to your Deployment Engineer to complete OIDC configuration. We recommend storing these in a safe place (e.g. a 1Password secure note).

  • Issuer URL, the realm issuer in the form https://keycloak.example.com/realms/<realm> (replace the host and <realm> with your values)
  • Client ID, the client identifier created above (e.g. atolio)
  • Client Secret, the secret copied from the “Credentials” tab

Setup Keycloak Connector

Once your Atolio infrastructure has been deployed, you will also need to setup the Keycloak Connector so that Atolio can resolve each signed-in user to their Atolio identity and user mappings.