Keycloak

The Axon Ivy Engine supports Keycloak as an identity provider. You first need to create client in Keycloak. From which you need at least the following settings:

  • the Realm (name of the realm)

  • the ClientId (Client identifier)

  • the ClientSecret (Secret value)

Furthermore you need the Url of your Keycloak instance, when the Axon Ivy Engine should communicate via a different URL in the background then you can additionally specify the BackendUrl. In most cases, it is sufficient to copy the template below and adjust the values. However, there are many detailed settings that you can find in the reference. The Engine Cockpit offers a detailed configuration page to connect Keycloak.

Template

 1# yaml-language-server: $schema=https://json-schema.axonivy.com/ivy/12.0.11/ivy.json
 2# Keycloak as an Identity Provider for the 'default' Security System
 3# [engineDir]/configuration/ivy.yaml 
 4SecuritySystems:
 5  default:
 6    IdentityProvider:
 7      Name: keycloak
 8      Config:
 9        Url: http://localhost:8080
10        BackendUrl: http://keycloak:8090
11        Realm: company-realm
12        ClientId: oidc-client
13        ClientSecret: "${encrypt:1234}"
14
15        Roles:
16          Manager: 197004f8-18ff-4e8e-a783-2e120e44a1fa
17          Employee: 197004ff-18ff-4e8e-a783-2e120e44a1fa
18
19        UserAttribute:
20          Properties:
21            division: department
22
23        Proxy:
24          Url: https://proxy.local
25          UserName: proxyUser
26          Password: "${encrypt:proxyPassword}"

Reference

 1# Keycloak URL is used to redirect the user to the login page.
 2Url: ""
 3
 4# Keycloak backend URL is used to synchronize the users. If not set fallback to Url.
 5BackendUrl: ""
 6
 7# Keycloak realm
 8Realm: ""
 9
10# Client ID provided by Keycloak when registering the application
11ClientId: ""
12
13# Client secret provided by Keycloak when registering the application
14ClientSecret: ""
15
16# Role mapping that is considered by the user synchronization.
17# Users are added to the roles to which they are assigned.
18# The left side, e.g. Manager, specifies the unique name of the role defined in Axon Ivy.
19# On the right side, e.g. 208e37b6-f34c-4026-bae5-c3aa40bec705, the ID of the group in Keycloak.
20# The synchronization adds all users to Manager that are assigned to 208e37b6-f34c-4026-bae5-c3aa40bec705
21# [keyvalue:Ivy Role,Keycloak Group ID]
22# [directoryBrowser]
23Roles:
24  #Manager: 208e37b6-f34c-4026-bae5-c3aa40bec705
25
26UserAttribute:
27  # User property mapping of Keycloak attributes that are imported and available as user properties (IUser.getProperty).
28  # The left side, e.g. phone, specifies the unique name of the user property in Axon Ivy.
29  # On the right side, e.g. mobilePhone, the name of the attribute of a user in Keycloak.
30  # [keyvalue:User Property,Keycloak Attribute Name]
31  Properties:
32    #phoneNumber: mobilePhone
33
34Proxy:
35  # Url of the forward proxy
36  Url: ""
37  # Username to authenticate against the forward proxy 
38  UserName: ""
39  # Password to authenticate against the forward proxy
40  Password: ""