Improve this page on GitHub

Keycloak SSO via OIDC

Set up Keycloak SSO for OIDC

Set up SSO for Keycloak using OIDC. For a general overview on OIDC, see Setting up OIDC Federated SSO.

Set up OIDC SSO for Keycloak in Codefresh by:

  1. Creating a client in Keycloak
  2. Configuring SSO settings for Keycloak in Codefresh
  3. Configuring redirect URIs in Keycloak

IMPORTANT
KeycloakServer changed /auth endpoint from version 17.0.0. Currently, Codefresh does not support Keycloak version 17.0.0 or higher.
As a workaround, start KeycloakServer with this parameter: --http-relative-path=/auth/.

Step 1: Create Client in Keycloak

Create a Keycloak client for Codefresh.

  1. Log in to Keycloak.
  2. Select the Realm, and from the sidebar, select Clients.
  3. Click Create Client, and the Clients list tab.
  4. Define the General Settings:
    1. From the Client type drop-down, select OpenID Connect.
    2. In the Client ID field, enter g.codefresh.io.
    3. In the Name field, enter a display name for the client, for example, Codefresh.
    4. Click Next.

General Settings for Codefresh client in Keycloak

General Settings for Codefresh client in Keycloak
  1. Define the Capablity config settings:
    1. Toggle Client authentication to ON.
    2. Click Save.

Capablity config settings for Codefresh client in Keycloak

Capablity config settings for Codefresh client in Keycloak
  1. Copy and paste the following:
    1. Go back to Settings.
    2. From the General Settings tab, copy the Client ID to your machine.
    3. Click the Credentials tab, and copy and paste the Client secret to your machine.
    4. From the sidebar, select Realm Settings, and copy and paste the Realm ID. You will need the Client ID, Client Secret, and Realm ID to configure SSO for Keycloak in Codefresh.
  2. Continue with Step 2: Configure SSO settings for Keycloak in Codefresh.

Step 2: Configure SSO settings for Keycloak in Codefresh


Before you begin

  • Make sure you have:
    • The Client ID, Client Secret, and Realm ID from Keycloak in Step 1

How to

  1. In the Codefresh UI, from the toolbar click the Settings icon.
  2. In the sidebar, from Access & Collaboration, select Single Sign-On.
  3. Click + Add Single Sign-On, select Keycloak, and then click Next.
  4. Enter the following:
    • Client Name: For auto-generation, leave empty. Codefresh generates the client name once you save the settings.
    • Display Name: Meaningful name that identifies the integration with this SSO provider.
    • Client ID: The Client ID for Codefresh you copied from Keycloak.
    • Client Secret: The Client Secret for Codefresh you also copied from Keycloak.
    • Host: The Keycloak URL.
    • Realm: Optional. The Realm ID for Codefresh you copied from Keycloak.

SSO settings for Keycloak in Codefresh

SSO settings for Keycloak in Codefresh
  1. Click Add. Codefresh creates Keycloak as an identity provider, with the auto-generated Client Name.

Getting the auto-generated Client Name

Getting the auto-generated Client Name
  1. Note down the Client Name, as you need it to set the redirect URI in Keycloak.
  2. Continue with Step 3: Set up Redirect URI in Keycloak.

Step 3: Set up Redirect URI in Keycloak

  1. Log in again to Keycloak.
  2. From the sidebar, select Clients and then select Codefresh from the Clients List.
  3. Click the Settings tab, and then define the Access Settings:
    1. In the Root URL and Home URL fields, enter https://g.codefresh.io.

    2. In the Valid redirect URIs field, enter https://g.codefresh.io/api/auth/<your_codefresh_client_name>/callback
      where: <your_codefresh_client_name> is the Client Name auto-generated by Codefresh, for example, https://g.codefresh.io/api/auth/ruUtQOzX4T0D/callback.

    3. Click Save.

You have now completed SSO setup for Keycloak via OIDC.

Sync teams via CLI

Sync users and teams through the CLI.

Federated Single Sign-On (SSO) overview
Setting up OIDC Federated SSO
Common configuration for SSO providers