Keycloak (OpenID On-Prem)

Prerequisites

Sysdig

Keycloak

  • Identify your environment and ensure that you meet the prerequisites.
  • Ensure that you have administrative privileges.

Configure OpenID Provider for Keycloak

The instructions below covers basic Keycloak configuration. You may need to adjust the operations based on the specifics of your environment.

  1. Log in to your Keycloak Administrative Console and create the following:

    • realm: A realm in Keycloak is equivalent to a tenant. Create one for your Sysdig application.

    • Users: Create users who can access the realm.

    • Client: Create a client for your Sysdig application and take note of the client ID.

      • Client type: Choose OpenID Connect.

      • Client ID: For example, SysdigMonitor. You will use this value for the OpenID Configuration tab in the Sysdig Authentication(SSO) Settings.

      • Client authorization: Toggle this setting to On.

      • Authentication flow: Select Standard flow. This option enables standard OpenID Connect redirect based authentication with authorization code.

      • Login Settings: Specify the following:

        • Valid redirect URL: enter one of the following values, replacing HOSTNAME with the hostname through which your users access the Sysdig application and PORT with the TCP port number, which is typically 443:

          Sysdig Monitor: https://HOSTNAME:PORT/api/oauth/openid/auth

          Sysdig Secure: https://HOSTNAME:PORT/api/oauth/openid/secureAuth

  2. Open the Credentials tab. Copy the Secret associated with your client.

    You will need it while completing the configuration in the Sysdig platform.

Parameters Required for Sysdig Configuration

Copy the following for the OpenID configuration parameters in the Sysdig authentication settings.

  • Client ID: Copy the value from the Settings tab on your Sysdig Client page.
  • Client Secrets: Copy the Client Secret from the Credentials tab.
  • Issuer URL: The Issuer URL will consist of https://KEYCLOAK_SERVER_ADDRESS/auth/realms/REALM_NAME, where KEYCLOAK_SERVER_ADDRESS and REALM_NAME are derived from the environment where you created the configuration. You will enter it in the OpenID settings.

Configure Sysdig Settings

To enable Keycloak OpenID functionality on the Sysdig application, you need the following:

ConfigurationDescription
Client IDSpecify the value you have copied from the Settings tab on your Sysdig Client page.
Client SecretSpecify the value you have copied from the Client Secret on the Credentials tab.
Issuer URLThe issuer URL will have the following format:
https://KEYCLOAK_SERVER_ADDRESS/auth/realms/REALM_NAME
where KEYCLOAK_SERVER_ADDRESS and REALM_NAME are derived from the environment where you created the configuration.

See OpenID Connect (On-Prem) to complete the configuration in the Sysdig platform.