Keycloak user login from third-party Identity Providers

To configure Identity Providers you need to configure AGILITY Keycloak and the Identity Provider.

The following guide explains how to add Okta as an Identity Provider in Keycloak. After first login is successfully tested, it explains how to create mappings to autocomplete user attributes based on an Okta token.

Okta Identity provider configuration

1. Go to the AGILITY Realm admin console: <scheme>://<hostname>/cv/auth/admin/agility/console. For example https://agility.example.com/cv/auth/admin/agility/console

2. Log in with an auth-admin user like agility-admin@b-yond.com

3. Select Configure -> Identity Providers and select OpenID Connect v1.0

   Open

   

   Complete the form:

   • Alias: byond0

   • Display name: Sign-in with B-Yond

   • Discovery endpoint: https://idpnew.b-yond.com/.well-known/openid-configuration

   • Client ID: 0oa4wmwi7n4QouELz4x7

   • Client Secret: XXXXXXXXXXXXXX

   Client ID and Client Secrets are provided by the Identity Provider administrator.

   Open

   

   Select Add.

4. Ensure that Okta supports login redirection to https://agility.example.com/cv/auth/realms/agility/broker/byond0/endpoint.

5. Configure the logout redirect with the following URL: https://agility.example.com/cv/auth/realms/agility/broker/byond0/endpoint/logout_response. Please note the following screenshot is just an example. For login URL, it uses a wildcard instead the full domain.

   Now you are ready to log in.

6. In a new browser instance, go to the application home page https://agility.example.com/cv/ and select "Sign-in with B-Yond".

   When you log in for first time, you will be required to Update Account Information.

   Complete it and Submit it

Account information configuration

Update Account Information can be solved by creating the right mappings

1. Go back to the Keycloak admin console https://agility.example.com/cv/auth/admin/agility/console and login as auth-admin user.

2. Select Configure -> Identity Providers -> Sign in with B-Yond -> Advanced.

3. Ensure requested scopes are at least openid, profile and groups: openid profile groups

   Save changes.

4. Select the Mappers tab and then select Add mappers

   Create mappers for firstName, lastName, username and email.

   1. firstName

   2. lastName

   3. username

   4. email

      Removing the previous user locally or testing with a new Okta user will allow you to log in to AGILITY without asking for update information.

Notes about sharing email address between local and identity providers users

Duplicated emails are not enabled by default. A user should choose between local users or identity provider access. Trying to access with the same email address will generate user conflicts at the Keycloak level if email setup is not enabled.

If email setup is working, you will need to validate your email address to allow merge user information.

Social Network configuration

Other identities providers can be social networks. In this section we briefly explain how to configure in Keycloak but we don't cover the provider's configuration.

Google

Ensure the following options are set up

LinkedIn OpenID Connect

Ensure requested scopes are at least openid, profile and email: openid profile email

Update authentication flow to enforce login with an identity provider

You need Keycloak general admin user access

1. Get the Keycloak general admin access password and login to the keycloak admin console using kubectl port-forward method.

2. Ensure you are under agility realm.

3. Go to Configure -> Authentication, under Flow name column and select browser.

4. Under the Identity Provider Redirector row, select the settings wheel.

5. In the form write the "Alias" and "Default Identity Provider" with the previously-created identity provider configuration alias name. The following example shows the created byond0 configuration

6. Select Save.