Requirement:
Keycloak
Portainer
Steps to follow:
Keycloak
- Log in to the Keycloak console as an admin.
- Navigate to the realm if one has already been created for Portainer; otherwise, create a new realm for the SSO client.
Go to the new realm -> client -> new -> OpenID Connect -> fill in the details and click next.
Enable client authentication and OAuth 2.0 -> Click next
fill the URL based on your portainer URL and click save
Now get into the newly created client -> credentials -> copy the client secret and store it somewhere
Now create a user in the realm ( portainer ) -> user -> add user and create a user
Portainer
Login to the portainer -> go to settings -> Authentication
- enable OAuth by selecting OAuth and enabling the ‘Use SSO’ option.
- Scroll down and add the provider details
fill in the below details based on your configuration:
- Client ID : portainer
- Client secret: “client secret which we copied from keycloak”
- Authorization URL: https://{keycloak url}/realms/{realm created for porainer}/protocol/openid-connect/auth
- Access token URL: https://{keycloak url}/realms/{realm created for porainer}/protocol/openid-connect/token
- Resource URL: https://{keycloak url}/realms/{realm created for porainer}/protocol/openid-connect/userinfo
- Redirect URL: https://portainer.example.com/
- Logout URL: https://{keycloak url}/realms/{realm created for porainer}/protocol/openid-connect/logout
- User identifier: email
- Scopes: openid
Now logout and login again to Portainer. You will see the “Login with OAuth” option displayed -> click on that and use the username and password created from Keycloak.
This description works well and helped me get things working.
A note in case anyone wants to use the configured Keycloak username instead of the email address for Portainer userid. Assuming you haven’t changed the default Keycloak user profile or scope mappings, for the “User identifier” field use “preferred_username”.