agility-docs
Keycloak user login from third-party Identity Providers
To configure Identity Providers you need to configure AGILITY Keycloak and the Identity Provider.
The following guide explains how to add Okta as an Identity Provider in Keycloak. After first login is successfully tested, it explains how to create mappings to autocomplete user attributes based on an Okta token.
Okta Identity provider configuration
-
Go to the AGILITY Realm admin console:
<scheme>://<hostname>/cv/auth/admin/agility/console. For example https://agility.example.com/cv/auth/admin/agility/console -
Log in with an
auth-adminuser likeagility-admin@b-yond.com -
Select Configure -> Identity Providers and select OpenID Connect v1.0
Complete the form:
- Alias:
byond0 - Display name:
Sign-in with B-Yond - Discovery endpoint:
https://idpnew.b-yond.com/.well-known/openid-configuration - Client ID:
0oa4wmwi7n4QouELz4x7 - Client Secret:
XXXXXXXXXXXXXX
Client ID and Client Secrets are provided by the Identity Provider administrator.
Select
Add. - Alias:
- Ensure that Okta supports login redirection to
https://agility.example.com/cv/auth/realms/agility/broker/byond0/endpoint. -
Configure the logout redirect with the following URL:
https://agility.example.com/cv/auth/realms/agility/broker/byond0/endpoint/logout_response. Please note the following screenshot is just an example. For login URL, it uses a wildcard instead the full domain.
Now you are ready to log in.
-
In a new browser instance, go to the application home page https://agility.example.com/cv/ and select “Sign-in with B-Yond”.
When you log in for first time, you will be required to Update Account Information.
Complete it and
Submitit
Account information configuration
Update Account Information can be solved by creating the right mappings
-
Go back to the Keycloak admin console https://agility.example.com/cv/auth/admin/agility/console and login as
auth-adminuser. -
Select Configure -> Identity Providers -> Sign in with B-Yond -> Advanced.
-
Ensure requested scopes are at least openid, profile and groups:
openid profile groups
Save changes.
-
Select the
Mapperstab and then selectAdd mappers
Create mappers for
firstName,lastName,usernameandemail.firstName lastName username email 
Removing the previous user locally or testing with a new Okta user will allow you to log in to AGILITY without asking for update information.
Notes about sharing email address between local and identity providers users
Duplicated emails are not enabled by default. A user should choose between local users or identity provider access. Trying to access with the same email address will generate user conflicts at the Keycloak level if email setup is not enabled.
If email setup is working, you will need to validate your email address to allow merge user information.
Social Network configuration
Other identities providers can be social networks. In this section we briefly explain how to configure in Keycloak but we don’t cover the provider’s configuration.
Ensure the following options are set up
Client ID: 218140556172-8j4oul55XXXXXXXXXjqndgqep1.apps.googleusercontent.com
Client Secret: XXXXXXXXX
Display Order: 1
Request refresh token: On
LinkedIn OpenID Connect
Client ID: 868jXXXXXc4
Client Secret: XXXXXXXXX
Display Order: 2
Ensure requested scopes are at least openid, profile and email: openid profile email
Update authentication flow to enforce login with an identity provider
You need Keycloak
general adminuser access
-
Get the Keycloak
general adminaccess password and login to the keycloak admin console using kubectl port-forward method. -
Ensure you are under
agilityrealm. -
Go to Configure -> Authentication, under Flow name column and select browser.
-
Under the Identity Provider Redirector row, select the settings wheel.
-
In the form write the “Alias” and “Default Identity Provider” with the previously-created identity provider configuration alias name. The following example shows the created
byond0configuration
-
Select Save.