Configuring Keycloak as an Identity Provider

Prerequisites

Before proceeding, ensure:

  • You have admin access to your Keycloak instance.
  • Nirmata Control Hub is accessible and you have Admin access.

Step 1: Create a New Realm (Optional)

If you’re using Keycloak for multiple applications, it’s recommended to isolate Nirmata authentication:

  1. Log in to the Keycloak Admin Console.
  2. From the top-left dropdown, click “Add Realm”.
  3. Name it nirmata-realm (or a name of your choice).

Step 2: Register Nirmata as a Client

  1. In the Keycloak Admin Console, go to Clients.
  2. Click “Create”.
  3. Enter the following details:
    • Client ID: nirmata
    • Client Protocol: openid-connect
  4. Click Next.

Capability Config:

  • Enable Client Authentication
  • Enable the following flows:
    • Standard Flow
    • Direct Access Grants
    • Implicit Flow

Click Next.

Login Settings:

  • Valid Redirect URIs:
    https://<nirmata-host>/security/api/oidc/callback/*
  • Valid Post Logout Redirect URIs:
    https://<nirmata-host>/security/api/oidc/logout/*
  • Leave the other fields with default values.

Click Save.

Advanced Settings:

  1. Navigate to the nirmata client settings.
  2. Expand the Advanced Settings section.
  3. Set Proof Key for Code Exchange (PKCE) Code Challenge Method to S256.
  4. Click Save.

Step 3: Retrieve Credentials for Nirmata

To connect Nirmata to Keycloak, note the following:

  • Client ID: nirmata

  • Client Secret:

    • Go to Clients > nirmata > Credentials tab.
    • Copy the Secret.

  • Discovery URI format:
    https://<keycloak-host>/realms/<realm-name>/.well-known/openid-configuration
    Example:
    https://keycloak.example.com/realms/nirmata-realm/.well-known/openid-configuration

Step 4: Configure in Nirmata Control Hub

  1. Log into Nirmata Control Hub as an Admin.
  2. Navigate to Identity & Access > OIDC.
  3. Click “Add Provider” and select OIDC.
  4. Fill in the fields:
    • Name: Keycloak
    • Client ID: nirmata
    • Client Secret: (paste from step 3)
    • Discovery URI: (paste the URI from step 3)
    • Scopes: openid profile email
  5. Click Save.

Step 5: Test Authentication

  1. In the OIDC configuration page, locate and click the Initiate Login URL.
  2. You will be redirected to Keycloak’s login page.
  3. Log in using a user account from the configured realm.
  4. Upon successful login, you will be redirected back to Nirmata and authenticated.

If authentication completes successfully, your integration is now complete.