Skip to main content
Version: 2.11

Integrate External Keycloak

Prerequisites

  • Administrator privileges for Portworx Backup built-in Keycloak web console.

  • An external Keycloak deployment on any Kubernetes server or standalone VM. In this article, external Keycloak refers to a separately managed Keycloak instance (not the one bundled with Portworx Backup), and Portworx Backup built-in Keycloak refers to the Keycloak instance that Portworx Backup installs and manages.

Workflow

  1. Install external Keycloak
  2. Configure external Keycloak
  3. Register the Portworx Backup redirect URI in the external Keycloak client. In the external Keycloak admin console, navigate to your realm > Clients > select your client > Settings > Valid Redirect URIs, and add the Portworx Backup redirect URI: http://<portworx-backup-ui-endpoint>/auth/realms/master/broker/<identity-provider-alias>/endpoint. Replace <portworx-backup-ui-endpoint> with the Portworx Backup UI address and <identity-provider-alias> with the alias you will configure in step 5 below. Without this step, login will fail with an Invalid redirect URI error.
  4. Configure Portworx Backup Keycloak

Configure Portworx Backup Keycloak

  1. Access Portworx Backup built-in Keycloak web console with the following URL: http://NODE_IP:NODE_PORT/auth/

    Refer Configure access to web console topic for more information.

  2. Log-in with valid and active user credentials.

  3. In the left navigation pane of home page, under Configure click Identity Providers and then select Keycloak OpenID Connect under User-defined:.

  4. In the Add Keycloak OpenID Connect to Identity Providers page, provide the required information for the following fields:.


  5. Update the below info and then click Add.

    • Alias: name of your choice (this value is used in the redirect URI you registered in the external Keycloak in the Workflow step above)
    • Discovery endpoint: http://(external-keycloak-ip:port)/realms/master/.well-known/openid-configuration If the external Keycloak uses Keycloak 16 or earlier, the Discovery endpoint uses the /auth/ path prefix:
      http://(external-keycloak-ip:port)/auth/realms/master/.well-known/openid-configuration
    • Client ID: provide the client ID configured in the external Keycloak for this integration
    • Client Secret: paste the client secret copied from the external Keycloak client configuration

  6. Configure Keycloak OIDC as shown in the following illustration:

  7. Now access Portworx Backup web console from a different window and click keycloak-oidc under Sign in with your OIDC Provider.

Log-in page redirects you to external Keycloak server and then log-in with the user credentials that you created in external Keycloak server.

  1. Log in to Portworx Backup web console and verify that the profile section carries accurate information.

Last updated on