OpenShift, SSO and KeyCloak and Active Directory | DELL Technologies (2023)

Motivationfor this article. There is no easy-to-follow example of using Keycloak OpenID Connect (OIDC) authentication with OpenShift using Active Directory as the user federation source.

Furthermore,most examples from the internetfor the OIDCI assumethis too;

  • The KeyCloak OIDC server certificate is signed by a well-known external certificate authorityO.,
  • You already know how to extract a certificate from the Keycloak server and create the ca.crt file in the proper format for OpenShift to interpret.

In my case, the KeyCloak server is a private entity and not exposed to the internet. Also, I will use a self-signed certificate, as the KeyCloak server is internal and accessible via a private IP. So I had to resort to a method that would work with these limitations.

What will we get?

OpenShift, SSO and KeyCloak and Active Directory | DELL Technologies (1)

OpenShift OAuth workflow with KeyCloak OIDC and Active Directory user federation.

  • In this example, you willconfigure KeyCloak as an OIDC providerfor the provisioned OpenShift cluster
  • OThe KeyCloak server will run as a podon the OpenShift cluster in a dedicated project
  • Once the KeyCloak server is up and running, we will create a new domain and client configuration for the OpenShift cluster
  • Next, we will configure Active Directory user federation with read-only access to allow AD domain users to connect to OpenShift cluster via Keycloak IDP
  • Next, we will configure a new OAuth identity provider on the OpenShift cluster to connect to the Keycloak server as defined in the client configuration above
  • Finally, we will configure the RBAC permissions on the OpenShift cluster to create a new group and role membership to assign specific users to the cluster admin role


Your OpenShift cluster is configured and ready to go.Make sure the proper RedHat installation process is completed according to your preferred platform and version.

you have a wildcardFQDN registryto your DNS server for the OpenShift cluster which maps to the IP address of the Ingress VIP that your applications and Keycloak server will use.

*.aplicativos. . x.x.x.x Exemplo? *.apps.cluster-01.lab.local

The stand-alone or single-node cluster deployment model will also work just fine. However, for this article and demo environment, we used a 3-node cluster deployment with programmable master and worker nodes.

In summary, you can perform the following actions on a Linux machine that has the openshift-install binary and access to vCenter Server if you are using IPI in a vSphere environment.

Create the following DNS entry. . x.x.x.x *.apps. . x.x.x.x Download and extract the vCenter certificates - https:// /certs/ cp certs/lin/* /etc/pki/ca-trust/source/anchors update-ca-trust extract Create the installation directory and templates configuration mkdir ./openshift-install create install-config --dir? vsphere platform; vCenter; Username admin@vsphere.local? Password [? for help] ************* ? Set ; Default data storage? Virtual IP address for API? Virtual IP address for login? Basic domain? cluster name? Pull the secret [? for help] Edit the install config file only if you want to deploy a 3 node cluster (default will deploy 3 x masters + 3 worker nodes) cd vi install-config.yaml #### edit worker node ## ## copies: 0 ../openshift-install create manifests Note: WARNING Schedule control plane by setting MastersScheulable to true for cluster configurations of Scheduler Start cluster deployment (total build time about 20-30 minutes) cd . . ./openshift cluster --dir --log -level = info

Once the cluster is successfully deployed and completed, you can use the generated kubeconfig file to authenticate and connect to the cluster via the kubectl cli tool

export KUBECONFIG=~/ /auth/kubeconfig kubectl download nodes;

Additionally, we will use the oc tool provided by RedHat to perform CLI-based actions on the cluster. Download the oc toolset and install as appropriate (e.g.

oc login You must obtain an API token by accessing https://oauth-openshift.apps. . /oauth/token/request Use the kubeadmin password provided when completing the cluster deployment to log in and retrieve the "kubeadmin" token and password: "xxxxx-xxxxx-xxxxx-xxxxx" Display the token and copy the complete command to do login to oc cluster login --token=sha256~xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx --server=https://api. . :6443 the c gets nodes

We are now ready to proceed with KeyCloak server deployment and configuration.

Stage 1: Deploy KeyCloak Server Group

we will make use of itoctool to create a new project and deploy the Keycloak server from a github repository as documented in the following guide (

oc new project keycloakoc process -f \ -p KEYCLOAK_ADMIN=admin \ -p KEYCLOAK_ADMIN_PASSWORDNAMESPACESPACE \ -p keycloak \| oc create -f You should see the following outputservice/keycloak create Wait a few minutes and verify that the group is created and runningoc gets pods You should see something status similar belowNAME READY STATUS REBOOT AGEkeycloak-1-deploy 0/1 Completed 0 1mkeycloak-1-l9kdx 1/1 Running 0 1mRun the following command to extract the URLs for the Keycloak admin and account consolesKEYCLOAK_URL=https:// $oc route keycloak --template='{ { }}') &&echo "" &&echo "Keycloak: $KEYCLOAK_URL" &&echo "Keycloak Admin Console: $KEYCLOAK_URL/admin" &&echo "Keycloak Account Console: $KEYCLOAK_URL /account " &&echo " "

Step 2 Create Domain and Client on KeyCloak Server

You can browse to the KeyCloak Admin Console FQDN and login to the Admin Console with the URL retrieved in the previous step and the credentials below.

https://keycloak-keycloak.apps. . /Administrator

User name:Administrator

After successfully logging in, you can change your admin password by accessing the account management console using the link in the upper right corner of the screen.

Once redirected to the account management console, click on the Sign in link located under Account Security

And update your password with a new password

You can then navigate back to the admin console using the link in the top right corner of the screen

We will now create a new domain by hovering over the Master dropdown in the top left corner and clicking on the Add Domain button

Give the domain a name and make sure the activate button is enabled before clicking the create button

Next we will create a new client to be used by the OpenShift cluster.

Go to the Clients tab using the left menu and click on the Create button in the upper right corner of the Clients page

Provide a Client ID and make a note of the exact name, as we will need it later in configuring OpenShift OAuth.

Select the openid-connect protocol and leave the Root URL blank before clicking Save

After saving the client, you will see more options that can be imported.

Leave the defaults except the following.

Save the settings before continuing

Do not create users or groups as we will be using Active Directory user accounts and group/RBAC roles will be defined in the OpenShift cluster later in this article.

Step 3 Configure an ldap user federation provider to connect Keycloak to Active Directory


Before beginning this step, you must retrieve the following details from the Active Directory server.

  • A user account to connect the Keycloak server to the domain
    (this can be a service account or any user that already exists. For example, admin)
  • A valid membership DN for the service account. It can be retrieved by running the following command on the AD controller
    • dsquery username

OpenShift, SSO and KeyCloak and Active Directory | DELL Technologies (2)

  • A valid User DN which is usually the Default Users folder unless a specific setting is implemented
Example Default Users DN;CN=Users,DC=lab,DC=local

After collecting the above information, you can proceed as follows

Go to the User Federation page and add a new ldap provider as shown below.

Make sure the Enabled and Import Users buttons are enabled

Select edit mode as READ_ONLY

Select your Active Directory vendor from the drop-down list

Enter login URL as ldap://

Then enter the User DN, Bind DN, and Bind Credentials in the fields and test the connection and authentication to make sure they are correct

All other fields can be left at default and saved when completed

Step 4: Configure OAuth Settings on the OpenShift Cluster

The OAuth configuration is specific to the client configured on the Keycloak server. If you want to add another cluster, repeat step 2 and create a new client for each OpenShift cluster.

Now we need to retrieve the SSL certificate from the Keycloak server, as we will be importing this certificate into the OpenShift cluster as a trusted certificate.

On a Linux host, run the following command.

eco | openssl s_client -showcerts -connection keycloak-keycloak.apps. . :443 2>&1 | sed --quiet '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > keycloak.crt

OpenShift, SSO and KeyCloak and Active Directory | DELL Technologies (3)

The above command will create a file called keycloak.crt that contains the certificate chain for the self-signed Keycloak certificate.

Download this file to your desktop as we will be using it to upload to OpenShift via the web console.

Log into the OpenShift console using the URL provided by the installer during deployment and the kubeadmin username/password
(for example.https://console-openshift-console.apps. . )

Once logged into the console, go to the Administration -> Cluster Settings page and go to the Configuration tab

Scroll down and click on the OAuth link

You should now see the option to add a new identity provider by selecting the dropdown at the bottom of the screen

Click the dropdown menu and select OpenID Connect

Now we need to get the Keycloak client secret credentials we created earlier. Log into the Keycloak admin console and find the credentials tab in the client configuration.

Copy the secret string and paste it into the OpenShift OAuth configuration under client secret.

Enter the IDP name as keycloak and provide the same Client ID configured in Keycloak server.

Enter the URL of the publisher as
https:// /reinos/

Finally, click on the browse button and upload the keycloak.crt file with the certificate we extracted in the previous step and click on the Add button.

Step 5: Configure RBAC on the OpenShift Cluster to Grant Cluster Admin Rights to Specific Users

Now that we have the OAuth identity provider configured and Keycloak integrated with Active Directory, we need to define how a user can be assigned different RBAC roles and permissions.

In this example, we will create a group and assign role membership to the Cluster Administrator role. We can then add users to the group and they will inherit the cluster admin role. RBAC can be implemented in many different ways, but this is a simple example of a starter POC that shows the implementation of OIDC leveraging AD users and OpenShift controlled RBAC.

In the OpenShift console, go to User Management -> Groups

Click Create Group and fill in the yaml definition with a group name and the Active Directory user accounts you want to grant cluster admin access to

Create the group, go to configuration and go to the RoleBindings tab

Create a new binding, select Bind Cluster-Wide Roles and provide a name, then select the Cluster Management Role from the Role Name drop-down menu

Final stage - test

At this stage, all configurations are completed with a perfect access test procedure for our users with their respective rights. We will do this by connecting to an AD user who has not been added to the Cluster Administrators group and a user who has been added to the group to compare the different access rights.

First exit the console and reload the console page to confirm the new IDP is available as shown below.

Click the keycloak button to connect to an AD user.

We will use test_user in this example as a standard user with no additional privileges.

You will notice after logging in that the user does not have access to existing projects or administrative functions such as cluster level settings

OpenShift, SSO and KeyCloak and Active Directory | DELL Technologies (4)

Now log out of that user and log in with another user added to the cluster-admins group.

OpenShift, SSO and KeyCloak and Active Directory | DELL Technologies (5)

You should immediately notice the difference and the cluster admin user will have full rights to the entire cluster.

To betakes us to the end of the article and the implementation of OIDC SSO with Keycloak and Active Directory. I hope you enjoyed the demo and that it will be useful in your own POC deployments, labs, and production environments.

Be careful



Can Keycloak be used for SSO? ›

Keycloak is an open-source software solution designed to provide single sign-on access to applications and services. It allows users to authenticate once and access multiple applications without needing to re-enter their credentials.

What is Redhat Keycloak? ›

Keycloak is a single sign-on solution for web apps and RESTful web services. The goal of Keycloak is to make it easy for application developers to secure their apps and services.

How to implement SSO with Active Directory? ›

How To Implement Single Sign-On Using Active Directory
  1. Make an Application Matrix. The first step for any single sign-on implementation is to identify all of the different applications that you want to roll out at different phases. ...
  2. Independent Active Directory Integrations. ...
  3. Third-Party Vendors. ...
  4. Use Microsoft AD FS.

Does SSO require Active Directory? ›

So, the short answer to the question of whether you need both AD and SSO is no — you don't specifically need both AD and an SSO solution.

What is the difference between Redhat SSO and Keycloak? ›

Keycloak is an open source solution and as such is free to use. The enterprise variant of Keycloak, Red Hat SSO, has it's pricing based on the amount of CPU cores that are running the software. This is a common pricing model for Red Hat products.

How to configure Keycloak with Active Directory? ›

Connecting Keycloak to Active Directory
  1. Open the Administration Console .
  2. Log on with the pre-configured user admin and password SealAdmin1 .
  3. In the Configure menu on the left, select User Federation to display the entry dialog.
  4. In the drop-down menu, select ldap .
  5. Save your settings. Caution - later changes.
Jul 26, 2023

Is Keycloak outdated? ›

The Keycloak Java adapters will remain for a while though, at least towards the end of the year, but likely not be removed until early 2024. At the same time don't expect the adapters to be updated in terms of adding new features, enhancements, or supporting newer versions of Tomcat, Jetty, WildFly, or Spring.

How do you use Keycloak as SSO? ›

Configuring Keycloak
  1. Log in to Keycloak and open the administration console.
  2. Select the realm that you want to use for federation.
  3. In the menu, select Clients.
  4. Click Create client.
  5. Configure the following settings for the client: KeyCloak 19 or later KeyCloak 18 or earlier. Client type: SAML. ...
  6. Click Save.
  7. Click Save.
Feb 27, 2023

Is Keycloak a SAML provider? ›

Keycloak uses open protocol standards like OpenID Connect or SAML 2.0 to secure your applications. Browser applications redirect a user's browser from the application to the Keycloak authentication server where they enter their credentials.

Does Keycloak use SAML? ›

The JBoss KeyCloak system is a widely used and open-source identity management system that supports integration with applications via SAML and OpenID Connect.

Does Keycloak use SAML or OpenID? ›

Choosing between OpenID Connect and SAML is not just a matter of using a newer protocol (OIDC) instead of the older more mature protocol (SAML). In most cases Keycloak recommends using OIDC. SAML tends to be a bit more verbose than OIDC.


Top Articles
Latest Posts
Article information

Author: Arline Emard IV

Last Updated: 06/10/2023

Views: 6081

Rating: 4.1 / 5 (52 voted)

Reviews: 91% of readers found this page helpful

Author information

Name: Arline Emard IV

Birthday: 1996-07-10

Address: 8912 Hintz Shore, West Louie, AZ 69363-0747

Phone: +13454700762376

Job: Administration Technician

Hobby: Paintball, Horseback riding, Cycling, Running, Macrame, Playing musical instruments, Soapmaking

Introduction: My name is Arline Emard IV, I am a cheerful, gorgeous, colorful, joyous, excited, super, inquisitive person who loves writing and wants to share my knowledge and understanding with you.