How to Configure Keycloak SSO with Portainer

Requirement:

Keycloak
Portainer

Steps to follow:

Keycloak

  • Log in to the Keycloak console as an admin.
  • Navigate to the realm if one has already been created for Portainer; otherwise, create a new realm for the SSO client.

Go to the new realm -> client -> new -> OpenID Connect -> fill in the details and click next.

Enable client authentication and OAuth 2.0 -> Click next

fill the URL based on your portainer URL and click save

Now get into the newly created client -> credentials -> copy the client secret and store it somewhere

Now create a user in the realm ( portainer ) -> user -> add user and create a user

Portainer

Login to the portainer -> go to settings -> Authentication

  • enable OAuth by selecting OAuth and enabling the ‘Use SSO’ option.
  • Scroll down and add the provider details

fill in the below details based on your configuration:

  • Client ID : portainer
  • Client secret: “client secret which we copied from keycloak”
  • Authorization URL: https://{keycloak url}/realms/{realm created for porainer}/protocol/openid-connect/auth
  • Access token URL: https://{keycloak url}/realms/{realm created for porainer}/protocol/openid-connect/token
  • Resource URL: https://{keycloak url}/realms/{realm created for porainer}/protocol/openid-connect/userinfo
  • Redirect URL: https://portainer.example.com/
  • Logout URL: https://{keycloak url}/realms/{realm created for porainer}/protocol/openid-connect/logout
  • User identifier: email
  • Scopes: openid

Now logout and login again to Portainer. You will see the “Login with OAuth” option displayed -> click on that and use the username and password created from Keycloak.



Leave a Reply

Your email address will not be published. Required fields are marked *