Keycloak

Keycloak is an identity and access management system providing a trusted way for an application to authenticate a user via different authentications protocols.

1 Server side configuration

Activate the Keycloak feature and add configuration for user creation callbacks and initial groups:

keycloak.yml

feature:
  keycloak: true
keycloak:
  user_created_callback: your.companyname.custom.SsoUserCreated
  init_groups: |
    if(attr.roles.realm CONTAINSONEOF 'admin-user-role',
      [3],
      if(attr.roles.resource.gcms CONTAINSONEOF 'editor-user-role',
        [4],
        [5]
      )
    )

Place the `keycloak.json` generated for the CMS in the UI configuration directory (default: `ui-conf`).

2 Configuration for the Editor/Administration User Interface

If you are using the new UI, you will also have to make sure the REST-API is configured to use the Keycloak servlet filter.

Except for the groupMapper and userCreatedCallback entries, the configuration entries correspond exactly to the respective fields in the keycloak.json you can generate in the Keycloak admin front-end, and you should put all the entries here even when they are not listed in the example above.

2.1 Using an Identity Provider

When using an identity provider the following two settings in the advanced OpenID Connect settings are important to prevent unwanted redirect behavior:

  1. “Prompt”: Set to “Select account”
  2. “Accepts prompt=none forward from client”: Set to “Off”

Keycloak - Identity Provider configuration

2.2 Circumvent Single Sign-on

It can usefull to not use the single sign process although it is enabled. The single sign on process will be skipped and users will be forwarded to the login form when the url parameter skip-sso is present. Example: https://yourcmshost.tld/editor/?skip-sso

2.3 Single Sign Out

By activating the feature

conf/features.yml

feature:
	keycloak_signout: true

users will automatically be logged out from Keycloak, if they log out from the CMS using the Editor User Interface or Administration User Interface.

2.4 Missing Keycloak

When Keycloak is configured but currently not available, the CMS login will show a message that Single-Sign-On is currently not available.