EFS SSO Guide With Keycloak

EFS SSO Guide With Keycloak

This tutorial explains how to setup Single Sign On (SSO) in EFS by configuring EFS Keycloak as a trusted Identity Provider (IDP) in a base platform Keycloak IDP.

Follow the below steps to configure EFS Keycloak as a trusted IDP in your base platform Keycloak to enable SSO with EFS users.

Set up a trusted client in EFS

You need to create a client in EFS for your base platform (eg: NIMBLE client/ Composition client etc)

Step 1

Create a Client in Master Realm in Keycloak

img Figure 1 : Create a new Client in EFS

Step 2

Create a client for the relevant base platform and select the OpenID Connect as the client protocol.

img Figure 2 : Create a new OpenID-Connect Client in EFS

Step 3

Provide a valid redirect URL to redirect the user, after a successful login. This should be the base platform Keycloak URL.

img Figure 3 : Configure redirect URL

Step 4

Note down the client id (eg: nimble-federation-client) and the secret to be provided to the base platforms as a trusted identity provider.

Step 5 (Optional)

Based on the security requirements the admin can assign roles and scopes to the client.

img Figure 4 : Configure Client Roles

Setup EFPF as the trusted IDP in a Base Platform

Step 1

  • Login to the base platforms Keycloak and create a Trusted Identity Provider.
  • Select the Keycloak OpenID Connect as the trusted identity provider.

img Figure 5 : Created as trusted IDP

Step 2

  • Provide Display name alias and enable the client.
  • Configure EFPF IDP related information in this tab.
  • Copy the client ID and secret to the relevant fields (EFPF Trusted Client).

img Figure 6 : Configure EFS as the trusted IDP

After configuring the trusted identity provider, the base platform Keycloak login page will show the Login with the EFPF option in the base platform.

img Figure 7 : Login with EFPF to the base platform

SSO with External Login Pages

If you are using an external login page instead of the keycloak login page then you need to pass an IDP hint to the base platforms Keycloak as below.


Configure Trust Store for Keycloak

The EFPF and base platform’s public certificate should be shared between both Keycloak servers.

The following documentation will provide the steps on how to configure them: https://www.keycloak.org/docs/7.0/server_installation/#_truststore