DocsEdge Stack
2.0
Single Sign-On with Keycloak
Single Sign-On with Keycloak
With Keycloak as your IdP, you will need to create a Client to handle authentication requests from Ambassador Edge Stack. The below instructions are known to work for Keycloak 4.8.
- Under "Realm Settings", record the "Name" of the realm your client is in. This will be needed to configure your - authorizationURL.
- Create a new client: navigate to Clients and select - Create. Use the following settings:- Client ID: Any value (e.g. ambassador); this value will be used in theclientIDfield of the Keycloak filter
- Client Protocol: "openid-connect"
- Root URL: Leave Blank
 
- Client ID: Any value (e.g. 
- Click Save. 
- On the next screen configure the following options: - Access Type: "confidential"
- Valid Redirect URIs: *
 
- Click Save. 
- Navigate to the - Mapperstab in your Client and click- Create.
- Configure the following options: - Protocol: "openid-connect".
- Name: Any string. This is just a name for the Mapper
- Mapper Type: select "Audience"
- Included Client Audience: select from the dropdown the name of your Client. This will be used as the audiencein the KeycloakFilter.
 
- Click Save. 
- Configure client scope as desired in "Client Scopes" (e.g. - offline_access). It's possible to set up Keycloak to not use scope by removing all of them from "Assigned Default Client Scopes".- Note: All "Assigned Default Client Scopes" must be included in the - FilterPolicy- scopeargument.
Configure Filter and FilterPolicy
Update the Keycloak Filter and FilterPolicy with the following: