Configure Keycloak for OIDC

You can configure Keycloak as an OpenID authentication mechanism in Sysdig.

Prerequisites

Sysdig

Keycloak

  • Identify your environment and ensure that you meet the prerequisites.
  • Ensure that you have administrative privileges.

Configure OpenID Provider for Keycloak

The instructions below covers basic Keycloak configuration. You may need to adjust the operations based on the specifics of your environment.

  1. Log in to your Keycloak Administrative Console and create the following:

    • realm: A realm in Keycloak is equivalent to a tenant. Create one for your Sysdig application.

    • Users: Create users who can access the realm.

    • Client: Create a client for your Sysdig application and take note of the client ID.

      • Client type: Choose OpenID Connect.

      • Client ID: For example, SysdigMonitor. You will use this value for the OpenID Configuration tab in the Sysdig Authentication(SSO) Settings.

      • Client authorization: Toggle this setting to On.

      • Authentication flow: Select Standard flow. This option enables standard OpenID Connect redirect based authentication with authorization code.

      • Login Settings: Specify the following:

        • Valid redirect URL: Specify your Sysdig application redirect URL.

          See SaaS Region and IP Ranges and identify the correct Redirect URL associated with your Sysdig application and region. For example, domain URLs of Monitor and Secure for US East are:

          • Sysdig Monitor: https://app.sysdigcloud.com/api/oauth/openid/auth

          • Sysdig Secure: https://secure.sysdig.com/api/oauth/openid/secureAuth

  2. Open the Credentials tab. Copy the Secret associated with your client.

    You will need it in the OpenID settings.

Parameters Required for Sysdig Configuration

opy the following for the OpenID configuration parameters in the Sysdig authentication settings.

  • Client ID: Copy the value from the Settings tab on your Sysdig Client page.
  • Client Secrets: Copy the Client Secret from the Credentials tab.
  • Issuer URL: The Issuer URL will consist of https://KEYCLOAK_SERVER_ADDRESS/auth/realms/REALM_NAME, where KEYCLOAK_SERVER_ADDRESS and REALM_NAME are derived from the environment where you created the configuration. You will enter it in the OpenID settings.

Configure Sysdig Settings

To enable Keycloak OpenID functionality on the Sysdig application, you need the following:

ConfigurationDescription
Client IDSpecify the value you have copied from the Settings tab on your Sysdig Client page.
Client SecretSpecify the value you have copied from the Client Secret on the Credentials tab.
Issuer URLThe issuer URL will have the following format:
https://KEYCLOAK_SERVER_ADDRESS/auth/realms/REALM_NAME
where KEYCLOAK_SERVER_ADDRESS and REALM_NAME are derived from the environment where you created the configuration.

See Enable OpenID in Settings to learn how to complete your configuration.