[User management] Identity Provider Configuration Examples

1 Overview
- 1.1 Keycloak User Login via Third-Party Identity Providers
2 Accessing the Admin Console Page
- 2.1 Application Settings
- 2.2 Top Bar Menu
3 Okta Identity Provider Configuration
4 Account Information Configuration
5 ⚠️ Notes on Sharing Email Addresses Between Local and Identity Provider Users
6 Social Network Configuration
- 6.1 Google
- 6.2 LinkedIn OpenID Connect
7 Update the Authentication Flow to Enforce Login via Identity Provider

Overview

Keycloak User Login via Third-Party Identity Providers

Integrating third-party Identity Providers with Keycloak requires configuration on both the AGILITY Keycloak side and the external provider.

This guide walks you through adding Okta as an Identity Provider in Keycloak. It covers initial login testing and then details how to set up attribute mappings to automatically populate user data from the Okta token, streamlining user management and improving authentication flow.

Accessing the Admin Console Page

There are two ways to access this page through the AGILITY user interface: via the Application Settings panel or from the top navigation bar menu. Both options will take you to the same destination—choose the one that best fits your workflow.

Application Settings

Users can access the Admin Console page from the Application Settings page within AGILITY:

From the main navigation sidebar, click Applications.
Main Navigation Menu: Application
Scroll down to locate the Admin Console card.
Applications: Admin Console Card
Click the Go to Admin Console button—you’ll be redirected to the Admin Console home page.

Top Bar Menu

Users can also access the Admin Console page from the Top Navigation Bar within AGILITY:

From the top navigation bar, click the More button.
Locate the Admin Console from the list.
Click on it to open the feature page—you’ll be redirected to the Admin Console home page.

You may be prompted to authenticate by entering your AGILITY credentials before accessing the Admin Console page.

Okta Identity Provider Configuration

After successfully accessing the AGILITY Admin Console in the previous steps.
Select Configure -> Identity Providers and select OpenID Connect v1.0
Complete the form:
1. Alias: byond0
2. Display name: Sign-in with B-Yond
3. Discovery endpoint: https://idpnew.b-yond.com/.well-known/openid-configuration
4. Client ID: 0oa4wmwi7n4QouELz4x7
5. Client Secret: XXXXXXXXXXXXXX

The Client ID and Client Secret are provided by the administrator of the Identity Provider.

Click Add to proceed.
1. Confirm that Okta supports login redirection to:
  https://agility.example.com/cv/auth/realms/agility/broker/byond0/endpoint
2. Set the logout redirect URL to:
  https://agility.example.com/cv/auth/realms/agility/broker/byond0/endpoint/logout_response

The screenshot shown is for illustrative purposes only. It uses a wildcard for the login URL instead of the full domain.

You’re now ready to log in.
1. Open a new browser window and navigate to the application home page:
  https://agility.example.com/cv/
2. Click "Sign in with B-Yond".
3. On your first login, you’ll be prompted to Update Account Information.
4. Fill in the required details and click Submit to complete the process.

Account Information Configuration

The Update Account Information prompt during first login can be resolved by configuring the correct attribute mappings.

Complete the steps outlined in the Accessing the Admin Console section.
Navigate to Configure → Identity Providers → Sign in with B-Yond → Advanced tab.
Ensure the Requested Scopes field includes at least the following values:
openid profile groups
Click Save to apply your changes.
Then, go to the Mappers tab and click Add Mapper to begin configuring attribute mappings.
Create mappers for the following user attributes: firstName, lastName, username, and email.
1. firstName
2. lastName
3. username
4. email

To avoid being prompted to update account information during login, either remove the existing local user or test with a new user from Okta. This ensures Keycloak pulls fresh attribute mappings during the first login.

⚠️ Notes on Sharing Email Addresses Between Local and Identity Provider Users

By default, duplicate email addresses are not allowed in Keycloak. Users must choose between logging in as a local user or via an identity provider.

If the same email address is used for both, it may cause user conflicts unless email verification is properly configured.

When email is correctly set up, users will be prompted to verify their email address, allowing Keycloak to safely merge the user accounts and avoid duplication issues.

Social Network Configuration

Social networks can also serve as Identity Providers in Keycloak. This section provides a brief overview of how to configure social login within Keycloak, but does not cover the setup or configuration details specific to each social network provider.

Google

Make sure the following options are configured correctly:

Client ID: 218140556172-8j4oul55XXXXXXXXXjqndgqep1.apps.googleusercontent.com
Client Secret: XXXXXXXXX
Display Order: 1
Request refresh token: On

LinkedIn OpenID Connect

Ensure that the requested scopes include at minimum: openid, profile, and email.

Client ID: 868jXXXXXc4
Client Secret: XXXXXXXXX
Display Order: 2

Update the Authentication Flow to Enforce Login via Identity Provider

Prerequisite: You must have Keycloak general admin user access.

Obtain the Keycloak general admin password.
Access the Keycloak Admin Console by using the kubectl port-forward method to forward the necessary port.
Confirm you are operating within the agility realm.
Navigate to Configure → Authentication.
In the Flow Name column, locate and select browser.
Find the Identity Provider Redirector row and click the settings (gear) icon to open its configuration.
In the form that appears:
- Enter the Alias.
- Set the Default Identity Provider to the alias of the identity provider you created earlier (e.g., byond0).
Click Save to apply the changes.