Back in part 1, we installed Keycloak on top of Kubernetes. Now we want to configure it to generate OIDC tokens based on our (hopefully) existing authentication backend.
In this example, I’m going to use Active Directory, but the setup is similar for and LDAP, and Keycloak also supports most cloud identity providers, plain SAML and so on.
No user identity system?
If you are following along at home, and do not have an existing identity provider like Active Directory, then simply skip the ‘Configuring AD’ section and add a user directly in Keycloak. You can do this by clicking Manage->Users, then ‘Add user’. Make sure you turn ‘Email Verified’ on.
Once the user is created, you can impersonate them and set a password in the Keycloak admin console. See the keycloak documentation for more details.
Now skip over to ‘Configuring OIDC’
Configuring AD
Configuring Keycloak to federate AD users requires logging into the admin console and clicking on ‘User Federation’
Select LDAP as your provider.
You need to have your AD setting to hard, and this will differ depending on your setup. Most of these parameters are standard to any AD integration, so you should be able to reference them or ask for them from an AD administrator.
When you have entered all of the required values and tested the connection, you can save this setup.
Configuring OIDC
Add an OIDC client configuration
Start by clicking ‘Create’ to add a new client
Give your client a name (it can be anything you want.) Click ‘Save’
Force enable verified email
Kubernetes will refuse to work with any identity for which the email is not verified, so we now need to create a mapping to force that. We can do this because we presumably trust that the emails contained within our Active Directory are real.
From the clients list, click the name of your newly-created client. Now click the ‘Mappers’ tab, and finally ‘Create’
Enter the values as below, and click ‘Save’
That’s it! In Part 3 we will tie this all back to the kube-apiserver and test authentication.