Configure Keycloak for OIDC

Prerequisites

Review OpenID Connect (SaaS).

Configure OpenID Provider for Keycloak

The notes below describe minimal steps to be taken in Keycloak. You may need to adjust the steps based on the specifics of your environment.

1. Log in to your Keycloak server’s Administrative Console.

2. Select a realm or create a new one.

3. Click Clients > Create.

4. Enter the Client ID of your choosing (e.g. “SysdigMonitor”) and take note of it.

   You will need it for the OpenID Configuration tab in the Sysdig Authentication(SSO) Settings.

5. Make sure the Client Protocol drop-down has openid-connect selected. Click Save.

6. Configure the OpenID Connect client:

   • Toggle the Authorization Enabled setting to ON.

   • For Valid Redirect URI, enter one of the following values:

     See SaaS Regions and IP Ranges and identify the correct domain URL (Redirect URI) associated with your Sysdig application and region. For example, domain URLs of Monitor and Secure for US East are:

     • Sysdig Monitor: https://app.sysdigcloud.com/api/oauth/openid/auth

     • Sysdig Secure: https://secure.sysdig.com/api/oauth/openid/secureAuth

     For other regions, the format is https://<region>.app.sysdig.com.

     Replace <region> with the region where your Sysidig application is hosted. For example, for Sysdig Monitor you use https://eu1.app.sysdig.com/api/oauth/openid/auth.

   • Click Save .

7. Open the Credentials tab. Take note of the Secret that is shown.

   You will need it in the OpenID settings.

8. Note that the Issuer URL will consist of https://KEYCLOAK_SERVER_ADDRESS/auth/realms/REALM_NAME, where KEYCLOAK_SERVER_ADDRESS and REALM_NAME are derived from your environment where you just created the configuration. You will enter it in the OpenID settings.

Configure Sysdig Settings

To enable Keycloak OpenID functionality on the Sysdig application, you need the following:

• Client ID

• Client Secret

• Issuer URL.

See Enable OpenID in Settings to learn how to complete your configuration.