Configure Keycloak for OIDC
Prerequisites
Sysdig
- Review OpenID Connect (SaaS).
Keycloak
- Identify your environment and ensure that you meet the prerequisites.
- Ensure that you have administrative privileges.
Configure OpenID Provider for Keycloak
The instructions below covers basic Keycloak configuration. You may need to adjust the operations based on the specifics of your environment.
Log in to your Keycloak Administrative Console and create the following:
realm: A realm in Keycloak is equivalent to a tenant. Create one for your Sysdig application.
Users: Create users who can access the realm.
Client: Create a client for your Sysdig application and take note of the client ID.
Client type: Choose OpenID Connect.
Client ID: For example, SysdigMonitor. You will use this value for the OpenID Configuration tab in the Sysdig Authentication(SSO) Settings.
Client authorization: Toggle this setting to On.
Authentication flow: Select Standard flow. This option enables standard OpenID Connect redirect based authentication with authorization code.
Login Settings: Specify the following:
Valid redirect URL: Specify your Sysdig application redirect URL.
See SaaS Region and IP Ranges and identify the correct Redirect URL associated with your Sysdig application and region. For example, domain URLs of Monitor and Secure for US East are:
Sysdig Monitor:
https://app.sysdigcloud.com/api/oauth/openid/auth
Sysdig Secure:
https://secure.sysdig.com/api/oauth/openid/secureAuth
Open the Credentials tab. Copy the Secret associated with your client.
You will need it in the OpenID settings.
Parameters Required for Sysdig Configuration
opy the following for the OpenID configuration parameters in the Sysdig authentication settings.
- Client ID: Copy the value from the Settings tab on your Sysdig Client page.
- Client Secrets: Copy the Client Secret from the Credentials tab.
- Issuer URL: The Issuer URL will consist of
https://KEYCLOAK_SERVER_ADDRESS/auth/realms/REALM_NAME,
where KEYCLOAK_SERVER_ADDRESS and REALM_NAME are derived from the environment where you created the configuration. You will enter it in the OpenID settings.
Configure Sysdig Settings
To enable Keycloak OpenID functionality on the Sysdig application, you need the following:
Configuration | Description |
---|---|
Client ID | Specify the value you have copied from the Settings tab on your Sysdig Client page. |
Client Secret | Specify the value you have copied from the Client Secret on the Credentials tab. |
Issuer URL | The issuer URL will have the following format: https://KEYCLOAK_SERVER_ADDRESS/auth/realms/REALM_NAME where KEYCLOAK_SERVER_ADDRESS and REALM_NAME are derived from the environment where you created the configuration. |
See Enable OpenID in Settings to learn how to complete your configuration.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.