OpenID Connect with KeyCloak on RHEL7

This tutorial shows installing Keycloak as an OpenID Connect Identity Provider and configuring OnDemand as an OpenID Client to authenticate with this provider.

Using as the example host with OnDemand installed, at the end of the tutorial:

  1. Keycloak is running and accessible at

  2. In both cases Apache is handling requests. Apache proxies requests for to the Keycloak server running on the default port of 8080.

  3. Attempting to access OnDemand at redirects the user to to first authenticate.

At OSC in production we do two things differently from this tutorial:

  1. we keep Keycloak on a separate host from OnDemand

  2. we configure Keycloak to use MySQL for Keycloak’s database instead of the default H2 file database

These steps have been omitted from the tutorial. For most cases for OnDemand, the default H2 database is probably sufficient. Also by installing Keycloak on the same host as OnDemand, we don’t need to provision separate SSL certificates and host, which simplifies the tutorial.

If your site is interested in either of these things and needs assistance, please let us know by contacting us on the OnDemand Discourse at


In production we recommend installing Keycloak on a separate host from OnDemand.


This tutorial has only been verified to work with Keycloak 9.0.0.