2. Configure Keycloak

We will now use Keycloak’s admin Web UI to setup LDAP and add OnDemand as an OIDC client that will authenticate with Keycloak.

2.1. Add a new realm

  1. Log into https://webdev07.hpc.osc.edu:8443 as the admin user
  2. Hover over “Master” on left and click “Add Realm”
  3. Type in name “ondemand” and click “Save”. The new realm is loaded.
  4. Click Login tab, then adjust parameters:
    1. Remember Me: ON
    2. Login with email: OFF
  5. Click Save.

2.2. Configure LDAP

  1. Choose User Federation on the left (verify ondemand realm is current realm)
  2. Select “ldap” for provider
    1. Import Users set to OFF
    2. Edit Mode set to READ_ONLY
    3. Vendor set to other – for OpenLDAP
    4. User Object Classes set to posixAccount – OSC specific and odd
    5. Connection URL: ldaps://openldap1.infra.osc.edu:636 ldaps://openldap2.infra.osc.edu:636 – using multiple to demonstrate more than 1
    6. User DN: ou=People,ou=hpc,o=osc
    7. Auth Type: simple – OSC specific as we allow anonymous binds
    8. Use Truststore SPI: never – OSC specific since our LDAP certificates are already trusted since from InCommon, leaving default is probably acceptable if no truststoreSpi defined in XML configs
  3. Save

Warning

These LDAP settings are what we set for OSC. Your configuration may vary from this. If you run into any problems, please let us know so that once a solution is reached we can document those problem areas here. Contact us on the OOD Mailing List at https://lists.osu.edu/mailman/listinfo/ood-users.

2.3. Add OIDC client template

  1. Choose Client Templates
  2. Click Create (upper right corner)
    1. Name: ondemand-clients
    2. Protocol: openid-connect
    3. Click Save
    4. Mappers tab
    5. Click Add Builtin
    6. Check box the following: username, email, given name, family name, full name
    7. Click Add Selected
    8. Click Scope tab
    9. Set Full Scope Allowed to ON
  3. Verify Mappers >> username has “Token Claim Name” with value preferred_username. This means that when the user logs to OnDemand, the preferred_username claim will contain the username of the user. We will use this when deciding what system user to map a request to.

2.4. Add OnDemand as a client

  1. Choose Clients, then click Create in top right corner
    1. Client ID: webdev07.hpc.osc.edu
    2. Client Protocol: openid-connect
    3. Client Template: ondemand-clients
    4. Save (leave Root URL blank)
  2. Then edit Settings for the newly created client:
    1. Access Type: confidential
    2. Direct Access Grants Enabled: off
    3. Valid Redirect URIs: Press the + button to the right of the URI field so you can insert two URLs:
      1. https://webdev07.hpc.osc.edu/oidc
      2. https://webdev07.hpc.osc.edu
    4. Scroll to bottom and click “Save”
  3. Finally, get the client secret to use with OnDemand installation:
    1. Select the “Installation” tab of the “Client” you are viewing i.e. “Clients >> webdev07.hpc.osc.edu”
    2. Select Format Option: Keycloak OIDC JSON
    3. The “secret” string will be in the credentials section. Copy that for future use in this tutorial (and keep it secure).