Configure WSO2 Identity Server as a Federated IDP in Keycloak

WSO2 Identity Server provides the capability to integrate different identity providers via federated authenticators in the IS connector store. Similar to how WSO2 IS can delegate an individual’s or entity’s authentication responsibility to a trusted external party, WSO2 IS can be configured as a trusted IDP in other Identity Servers. Here we are going to configure WSO2 IS as an IDP in Keycloak.

Keycloak provides Identity Brokering service, which allows multiple service providers to connect with different identity providers. As shown in the following flow, Keycloak acts as an intermediary to create a trusted relationship with external identity providers. It allows the identities in the trusted external IDPs to consume the resources in service providers.

Identity Brokering Flow in Keycloak

Keycloak has the inbuilt brokering support for social IDPs such as Google, Facebook, Twitter, GitHub, LinkedIn, Microsoft. Also, it can broker identity providers based on the OpenID Connect protocol [1]and SAML- v2.0 protocol [2].

In this blog, we are going to use Keycloak’s identity brokering based on OIDC. This whole process requires only four simple steps. Let’s start!

  1. Configure the service provider in Keycloak.
  2. Configure Keycloak as a service provider in WSO2 Identity Server.
  3. Configure Keycloak as the identity broker. (Configure WSO2 IS as an OIDC IDP in Keycloak)
  4. Import WSO2 IS public certificate into Keycloak’s truststore.

Prerequisites

Keycloak:

  1. Download Keycloak from their product releases.

2. Unzip the pack and navigate to <KEYCLOCK-HOME>/bin , and execute the following command in a terminal. (port offset 100 is optional)

./standalone.sh -Djboss.socket.binding.port-offset=100

3. Once the server startup, Go to http://localhost:8180/auth/ (use http://localhost:8080/auth/ if no offset is applied) and create an admin user to login to the admin console.

4. Once the user got created, you can see a success message as “User Created” . Then access the Administration Console. It will direct you to the login page. Provide the admin credentials and log in.

5. Create a new realm as “demo” following the steps in https://www.keycloak.org/docs/latest/server_admin/#_create-realm.

WSO2 IS:

  1. Download the WSO2 Identity server from their official releases.
  2. Unzip the pack and navigate to <IS_HOME>/ bin, and execute the following command in a terminal.

./wso2server.sh

3. Once the server startup, Go to https://localhost:9443/carbon/, login with admin credentials (username: admin, password: admin). Then create tenants, userstores, and users as required [3].

STEP 01: Configure the service provider in Keycloak.

You can easily configure a SAML / OIDC service provider in Keycloak by following [4]. For this tutorial, I will use ‘account’ client which has http://localhost:8180/auth/realms/demo/account/ base URL.

STEP 02: Configure Keycloak as a service provider in WSO2 Identity Server.

  1. Login to the management console ( https://localhost:9443/carbon/).
  2. Navigate to Main Menu → Service Providers → Add.
  3. Select Mode Manual Configuration . Provide a Service Provider Name. (Description is optional ) and Click Register.

4. Navigate to Inbound Authentication Configuration → OAuth/OpenID Connect Configuration → Configure.

5. Add callback Url: http://localhost:8180/auth/realms/demo/broker/wso2isoidc/endpoint , and click Update.

This is how the callback URL is generated:

http://{keyclock_host}:{keyclock_port}/auth/realms/{realm_name}/broker/{alias_of_idp_in_keycloak}/endpoint

6. Make note of the OAuth Client Key and OAuth Client Secret for future use.

STEP 03: Configure Keycloak as the identity broker. (Configure WSO2 IS as an OIDC IDP in Keycloak)

  1. Click the Identity Providers left menu item, and select OpenID Connect v1.0.

2. Set Alias : wso2isoidc , now Redirect URI will be changed accordingly. That is the URL we gave as the callback URL in STEP 02.

Display Name: WSO2IS-OIDC

Turn ON Enabled, to enable the WSO2 IDP.

3. Configure required fields in OpenID Connect Config section as follows. Also, you can configure the other properties accordingly. Then Save.

Authorization URL: https://localhost:9443/oauth2/authorize
Token URL:
https://localhost:9443/oauth2/token
Client ID
: Noted OAuth Client Key in STEP 02 -> step (6.)
Client Secret:OAuth Client Secret in STEP 02 -> step (6.)

STEP 04: Import WSO2 IS public certificate into Keycloak’s truststore.

In identity brokering, there should be a trust relationship between the Identity servers. Keycloak should trust WSO2 IDP. For that, we need to import the public certificate of WSO2IS to Keycloak.

  1. Navigate to <IS_HOME>/repository/resources/security/ . Open a terminal and execute the following command to export the certificate. (keystore password: wso2carbon) . Then is.cert file will be saved at the same location
keytool -export -file is.cert -keystore wso2carbon.jks -alias wso2carbon

2. Navigate to<KEYCLOCK-HOME/standalone/configuration , and execute the following command to import the certificate. (keystore password: wso2carbon)

keytool -import -alias wso2carbon -keystore truststore.jks -file {path_to_is.cert_file}

3. Restart the Keycloak server.

TRY IT OUT !!

  1. Navigate to the ‘account’ Client via http://localhost:8180/auth/realms/demo/account/ (Navigate to any other client you configured in the realm). You will see the created IDP named WSO2IS-OIDC is listed as an option to authenticate the user. Select it.

2. You will be redirected to the login page of WSO2 IS authentication portal.

3. Give the credentials of a user who resides in WSO2 IS, and click continue.

4. Once the user is authenticated you will be redirected for the consent.

5. Once you continue from this step, you will be redirected to the configured First Login Flow in WSO2IS-OIDC identity provider. Since I have selected first broker login, if no Keycloak account is linked to the authenticated user it prompts for user details as follows. (NOTE: First Login Flow, https://www.keycloak.org/docs/latest/server_admin/#_identity_broker_first_login can be changed as your requirement)

6. Once the account information is updated, the user will be directed to the application.

(NOTE: Even though some user informations get stored in Keycloak, that user can’t be authenticated from Keycloak. User password won’t be saved in Keycloak)

Cheers!! We did it 🥳🥳

I will come back with a new tutorial on how to configure WSO2 IS as a SAML v2.0 IDP in Keycloak.

References:

[1]https://www.keycloak.org/docs/latest/server_admin/#_identity_broker_oidc

[2]https://www.keycloak.org/docs/latest/server_admin/#saml-v2-0-identity-providers

[3]https://is.docs.wso2.com/en/latest/

[4]https://www.keycloak.org/docs/latest/server_admin/#_clients

--

--

--

Senior Software Engineer@ WSO2 | Computer Science and Engineering graduate@ University of Moratuwa, SriLanka

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

How to parse HTML with Regular Expressions

C# Variables

Health Collectable! -Updated!

Let’s make your own operating system (#week06_integrate_user_modes)

Competent Developers Are Underpaid — Here is How to Fix It

Shipa for Kubernetes: Fireside Chat with Kelsey Hightower

Improving Development experience for Node based with package integrity check

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Anuradha Karunarathna

Anuradha Karunarathna

Senior Software Engineer@ WSO2 | Computer Science and Engineering graduate@ University of Moratuwa, SriLanka

More from Medium

Part 1: JWE with Spring Security

Analyse WSO2 Identity Server event logs with ELK (Part 1)

Kafka Security

Configuring Keycloak as an identity Provider in WSO2 Identity Server