Keycloak
Use these instructions to set up Keycloak as your SSO provider for Tonic Textual.
Keycloak configuration
Within Keycloak, select the realm to use for your Textual client. Under Clients, click Create client.
On the Create client page, under General Settings:
From the Client type dropdown list, select OpenID Connect.
Enter a Client ID and Name.
Click Next.
On the Capability Config tab, click Save. The details page for the new client displays.
On the Settings tab, under Access settings, enter your Textual URL information.
Click Client scopes. Each client has a dedicated scope named <client-id>-dedicated. To configure the scope, click the scope name.
On the Mappers tab, to add a property mapper to the scope, click Configure a new mapper.
In the list of mapper types, click Group Membership.
Under Add mapper, set both Name and Token Claim Name to groups.
The Full group path toggle affects how child groups appear in Tonic:
When on, child groups display as
parent group/child group.When off, child groups display as
child group.
To save the new group membership mapper, click Save.
Textual configuration
After you complete the configuration in Keycloak, you uncomment and configure the required environment variables in Textual.
The realm URL
The client identifier
The client secret, if client authentication is enabled
For Kubernetes, in values.yaml:
# Keycloak SSO Config
# -----------------
#keycloakClientId: <client-id>
#keycloakClientSecret: <client-secret>
#keycloakAuthority: <authority-url>For Docker, in .env:
#SOLAR_SSO_KEYCLOAK_AUTHORITY=#<keycloak_url_with_scheme>/realms/<realm_name>
#SOLAR_SSO_KEYCLOAK_CLIENT_ID=#<client identifier>
#SOLAR_SSO_KEYCLOAK_CLIENT_SECRET=#<client secret>Disabling pushed authorization requests
The environment variable SOLAR_SSO_KEYCLOAK_DISABLE_PUSHED_AUTHORIZATION determines whether to disable Keycloak pushed authorization requests.
By default, this is false.
You would set this to true to troubleshoot Keycloak authentication issues.
Last updated
Was this helpful?