Install and Configure Keycloak for Modzy

Overview

The steps below take you through the process of installing Keycloak using the bitnami/keycloak helm charts and configuring a realm for use with Modzy

Installation

1. Add the helm repository

helm repo add bitnami https://charts.bitnami.com/bitnami

2. For ease of use, create a values yaml file, keycloak-values.yaml, for example with contents as follows (note the http/https service ports are set to 8080/8443 respectively as the default 80/443 will be used by modzy) :

ingress:
  enabled: false
service:
  type: LoadBalancer
  ports:
    http: 8080
    https: 8443
postgresql:
  auth:
    username: dbadmin
    password: your-db-admin-password

auth:
  adminUser: admin
  adminPassword: your-admin-password

tls:
  enabled: true
  existingSecret: id.modzy.example.com-tls
  usePem: true
  keystorePassword: your-keystore-password
  truststorePassword: your-truststore-password

3. Create a kubernetes namespace for the keycloak installation (the following creates namespace keycloak) :

kubectl create namespace keycloak

4. With the SSL certificate and key files present in the current directory, create a kubernetes secret with the command shown below.

📘

i. Update the certificate and key file names (cert-file.crt _and _cert-key-file.crt) as needed to match your actual files.
ii. The name of the secret to be created, in this example id.modzy.example.com-tls must match the name used for the existingSecret parameter in the keycloak-values.yaml file created in step 2

kubectl create secret generic id.modzy.example.com-tls --from-file=tls.crt=cert-file.crt --from-file=tls.key=cert-key-file.key -n keycloak

5. Install the keycloak helm chart (this assumes the keycloak-values.yaml file created in step 2 is present in the current directory

helm install -f keycloak-values.yaml keycloak bitnami/keycloak -n keycloak

This takes a brief few minutes to deploy. To check on the status of the deployment, execute the below (pod keycloak-0 in a Running 1/1 Ready state indicates successful deployment) :

root@ip-10-10-5-108:~# kubectl get pods -n keycloak
NAME                    READY   STATUS    RESTARTS   AGE
keycloak-0              1/1     Running   0          43m
keycloak-postgresql-0   1/1     Running   0          43m
svclb-keycloak-6rsk2    2/2     Running   0          43m
svclb-keycloak-jhgj9    2/2     Running   0          43m
svclb-keycloak-k25g4    2/2     Running   0          43m

Configuration

Configuring Keycloak for use with Modzy involves creating the modzy realm and exporting the SAML metadata xml
(This assumes DNS has been configured to point id.modzy.example.com to the keycloak instance)

1. Navigate to the Keycloak landing page: https://id.modzy.example.com:8443 and login to the Administration Console

2. From the Realm dropdown, select Add realm

3. Specify the name of the new realm as modzy and click the Create button

4. With the modzy realm now created and within the context of the realm as shown below, click on Clients in the left navigation bar

5. In the clients screen, click the create button to create a new client

6. Specify com.modzy.saml.sp as the Client ID and saml for the protocol as shown below then click on Save

7. In the resulting screen with more configuration options for the Client, set the following options (Save changes when done) :
   Sign Assertions: ON
   Client SIgnature Required: OFF
   Root URL: https://modzy.example.com
   Valid Redirect URIs: /saml/*
   Base URL: /

8. Navigate back to the Realm Settings screen as shown below, from the Endpoints field right-click and save the SAML 2.0 Identity Provider Metadata file for use with Modzy