Configure Keycloak
Last updated
Last updated
This page describes how to configure a Keycloak instance as an external IdP for the fulfillmenttools platform. Log in with an admin user to the administrator console in Keycloak; the default URL is: https://<keycloak-instance>/admin/master/console/
.
If there are existing multiple Keycloak realms, use the dropdown (upper left corner) to select the correct realm, which should be used as external IDP for fulfillmenttools. For each fulfillmenttools environment (typically a test and a production environment), create a separate client in Keycloak.
Browse to Clients (on the left navigation pane) and select Create client to open the client configuration wizard.
In the first step of create client wizard, select an OpenID Connect type and an Client ID (e.g., fulfillmenttools-production-environment). Press Next afterward.
In the second step of the wizard activate the Implicit Flow. Press Next afterward.
In the wizard's third step, add 3 Redirect URIs. These have the pattern:
https://ocff-<tenantName>-<pre|prd>.firebaseapp.com/__/auth/handler
https://ocff-<tenantName>-<pre|prd>.web.app/__/auth/handler
https://pick-<tenantName>-<pre|prd>.web.app/__/auth/handler
Press Save to create the client.
OAuth Client was created successfully . The Client ID must later be supplied to the fulfillmenttools platform via API.
On the Client configuration page activate Client authentication and press Save.
At the top of the Client, select the Credentials tab. Select Client Id and Secret. The Client Secret must be supplied to fulfillmenttools at a later step via API.
Now, create the client roles that correspond to the fulfillmenttools roles. Navigate to Roles and press Create role.
Create 3 roles: ADMINISTRATOR
, SUPERVISOR
and FULFILLER
. Choose an arbitrary Description. The Role name must be one of the above-mentioned roles: ADMINISTRATOR
, SUPERVISOR
or FULFILLER
.
The app roles should look similar to this:
Next, link Keycloak groups to these client roles. Individual Keycloak users can be added to these groups to assign roles to users.
In the Keycloak administration console, select Groups on the left navigation pane.
Typically, there exist three Keycloak groups, one for each fulfillmenttools role. By clicking Create group, create one Keycloak group for each fulfillmenttools role (e.g., fft-role-administrator, fft-role-supervisor, fft-role-fulfiller).
Now, assign client roles to these groups. Therefore, select the created group in the Groups section.
Then, select Role mapping in the tabs and press Assign role. Create a total of three groups for a production setup, one for each role. Then, every member of the group is assigned the corresponding fulfillmenttools role.
Select the corresponding role from the client, and press Assign.
In the following screenshot, the administrator role is created. This has to be done for SUPERVISOR and FULFILLER similarly.
fulfillmenttools models the assigned facilities to a user using Keycloak groups. In the Keycloak administration console, select the Client and the Client scopes tab. Select the <client ID>-dedicated entry:
Then, select Configure a new mapper.
Select Group Membership.
The name of the token mapper must be groups. Then press Save.
Now, all groups of a user are put into the token. The fulfillmenttools platform leverages this to identify which user is allowed to access a facility on the fulfillmenttools platform.
In the Keycloak administration console, select the Client and the Client scopes tab. Select the <client ID>-dedicated entry:
Then, open the Scope tab and disable the Full scope allowed:
In the client configuration, select the Client Scopes tab. Add the email
, profile
, and openid
scopes:
If the OpenID scope is unavailable on the Keycloak instance, create it in the admin console (Client Scopes in the left navigation pane).
Gather the following information to configure the external IDP via API:
CLIENT_ID
This is the Client ID
of the Client in Keycloak
CLIENT_SECRET
This is the value of the secret created
Keycloak Facility Group Names
group names of the Keycloak groups representing a facility
FACILITY_ID_1
, FACILITY_ID_1
id of the facilities in fulfillmenttools that this group should have access to
To register the OIDC provider to the fulfillmenttools platform, execute the following call: