Keycloak OpenID Setup

Warning

Be mindful when configuring OpenID providers that are public. Any user that can successfully authenticate with the provider will have access to your deployment of Kasm Workspaces. While access to Kasm Workspace apps and desktops can be resitricted with Kasm group permissions, any user of the public authentication provider would still be able to login to your deployment of Kasm. It is recommended to use a private OpenID provider unless your intention is to allow authentictioned access to all users of the OpenID platform provider.

This guide walks through a basic setup allowing Keycloak users to authenticate with your Kasm deployment.

Reference Docs:

Creating a Keycloak OAuth App

  1. Login to the Keycloak portal as an Admin.

  2. Under the the desired realm (e.g Master) , select Realm Settings.

  3. Click OpenID Endpoint Configuration next to Endpoints.

../../_images/realm_settings.png

Realm Settings

  1. Save off the urls for issuer, authorization_endpoint , token_endpoint, and userinfo_endpoint. These will be used in future steps.

../../_images/endpoints1.png

Keycloak Endpoints

  1. Back in the console, select Clients under the Realm.

  2. Select Create.

  3. Define a Client ID , e.g kasm-12345. Select openid-connect for Client Protocol and enter the URL for the Kasm deployment under Root URL (e.g https://kasm.example.com).

../../_images/add_client.png

Add Client

  1. In the client settings, change Access Type to confidential, then slick Save.

  2. In the Settings section, at the bottom, under Logout, choose one of the following:

    Warning

    Backchannel Logout is recommended as it is more stable and secure than front-channel. Choose front-channel if backchannel is not possible, e.g. keycloak is unable to make a direct HTTPS request to Kasm.

    1. Front-channel Logout

      • Set Front-channel logout to On

      • Fill out Front-channel logout URL with the endpoint URL for the kasm deployment (e.g. https://kasm.example.com/api/oidc_frontchannel_logout)

      • Click Save

      ../../_images/slo_frontchannel.png

      Front-channel SLO

    2. Backchannel Logout

      • Set Front channel logout to Off

      • Fill out Backchannel logout with the endpoint URL for the kasm deployment (e.g. https://kasm.example.com/api/oidc_backchannel_logout)

      • Set Backchannel logout session required to On

      • Click Save

      ../../_images/slo_backchannel.png

      Backchannel SLO

  3. Select Credentials. Save off the Secret. It will be used in future steps.

../../_images/secret.png

Client Secret

  1. In the client settings, select Mappers, then click Create.

  2. Enter groups for Name, and select Group Membership from the Mapper Type. Enter groups for Token Claim Name, then select Save.

../../_images/mapper.png

Mappers

Kasm OpenID Config

  1. Log into the Kasm UI as an administrator.

  2. Select Access Management -> Authentication -> OpenID -> Add Config.

  3. Update the form with the following entries, using the Client ID and Client Secret gathered in the previous section.

Property

Value

Enabled

Checked

Display Name

Continue with Keycloak

Logo URL

https://www.keycloak.org/resources/favicon.ico

Auto Login

Unchecked

Hostname

<Empty>

Default

Checked

Client ID

<Client ID from Keycloak>

Client Secret

<Client Secret from Keycloak>

Authorization URL

<authorization_endpoint from the Keycloak configuration>

Token URL

<token_endpoint from the Keycloak configuration>

User Info URL

<userinfo_endpoint from the Keycloak configuration>

Scope

openid email profile

Username Attribute

preferred_username

Groups Attribute

groups

Debug

Unchecked

Redirect URL

https://<Kasm hostname>/api/oidc_callback

OpenID Connect Issuer

<issuer from the Keycloak configuration>

Logout with OIDC Provider

Checked

Enable OIDC SLO Frontchannel Endpoint

Checked if Frontchannel Logout was chosen in the previous section
../../_images/kasm_oidc_configuration3.webp

Kasm OIDC Configurations

  1. Click Save to save the changes.

Keycloak Login Test

  1. Logout of the Kasm to display the login screen. The OpenID configuration should be shown.

../../_images/login3.webp

Login Screen

  1. Click Continue with Keycloak

  2. The user is redirected to Keycloak for auth.

../../_images/authorization3.png

Keycloak Auth

  1. Upon completion, the user is logged into the Kasm app.

Group Mapping

The previous configurations will instruct the identity provider to send a list of Security Group ID the user belongs to during the OpenID auth workflow. We can configure Kasm Groups with the Security Group IDs from Azure AD so that users are automatically added/removed based on their Azure AD group Membership.

  1. Log into the Kasm UI as an administrator.

  2. Select Access Management -> Groups -> Add Group.

  3. Name the Group Group Test, and define a priority.

  4. Click Save to create the group.

../../_images/groups.webp

Group Configuration

  1. On the groups screen, using the arrow menu select Edit on the group that was just created.

  2. Navigate to the SSO Group Mappings tab and select Add SSO Mapping.

  3. Select the OpenID IDP that was created above “OpenID - Continue with Keycloak” for the SSO Provider.

  4. Then enter the Keycloak group name desired in the Group Attributes field, e.g /Kasm-Test. Note the slash. This is needed when Full group path is set in the Keycloak Client Mapper which is the default.

  5. Click Submit

../../_images/sso_group_mapping.webp

Add SSO Group Mapping

  1. Logout, then login via the Keycloak Open ID login with a user that is a member of the specified group.

  2. View the users group membership to ensure they are added to the newly created group.