# Keycloak Using OIDC This article provides step-by-step instructions to integrate the OvalEdge application with Keycloak using OpenID Connect (OIDC)-based Single Sign-On (SSO). The integration enables centralized authentication through Keycloak while OvalEdge continues to manage internal access control. ### Purpose The objectives of this guide are to: * Enable secure OIDC-based SSO authentication for OvalEdge users. * Centralize identity and access management using Keycloak as the Identity Provider (IdP). * Simplify user provisioning and implement role-based access control. ### Process Overview This guide covers the following high-level steps: 1. Access the Keycloak Admin Console. 2. Create a new Realm. 3. Register OvalEdge as an OIDC Client. 4. Configure client credentials and redirect URIs. 5. Create roles and users. 6. Assign roles to users. 7. Configure client scopes and mappers. 8. Retrieve OpenID Endpoint Configuration. 9. Update OvalEdge configuration files. 10. Restart services and verify authentication. ### Prerequisites * Access to the Keycloak Admin Console. * Administrator credentials for Keycloak. * OvalEdge application URL. * Access to the OvalEdge server (VM). * Access to the Tomcat directory and environment files. ## Steps ### Access the Keycloak Admin Console * Open the Keycloak Admin Console in a browser. * Log in using valid administrator credentials. * Use the Realm dropdown to view and manage realms. ### Create a New Realm * Click **Create Realm**. * Enter a unique name for the new realm. * Click **Create**.

* Confirm the realm appears in the Realm dropdown.\ ![](https://1813356899-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhTnkoJQml0pok9awFDhx%2Fuploads%2FZ3chXXnCx53TZ487i31l%2Fimage.png?alt=media\&token=72c6e174-e88a-42e7-9887-03eb14badd05) ### Configure a Client for OvalEdge * Select the newly created realm. * Navigate to **Clients** and click **Create Client**.

* Enter the following details: * Client Type: **OpenID Connect** * Client ID: `oe-keycloak` (example; use a meaningful identifier) * Name and Description: Provide descriptive names.

* Click **Next**. **Capability Config:** * Enable **Client Authentication**. * Set Authentication Flow to **Standard Flow**.

* Click **Next**. **Login Settings:** * Root URL: `https://client.ovaledge.com/ovaledge` * Home URL: `https://client.ovaledge.com/ovaledge` * Redirect URIs:\ `https://client.ovaledge.com/ovaledge/oauth2/code/keycloak`

> Note: > > * Do not include `/login` at the end of the URL. > * Replace `client.ovaledge.com` with the actual domain. > * Use only specific redirect URIs for security. * Click **Save** to complete client creation. ### Manage Client Credentials * Navigate to **Clients** and select the created Client ID. * Go to the **Credentials** tab. * Set **Client ID and Secret** as the Client Authenticator.

* Click **Save** to generate the client secret. * Record the generated Client Secret for later use. ### Create Roles * Navigate to the **Roles** tab. * Click **Create Role**.

* Enter the role name (e.g., `OE_ADMIN`). * Optionally add a description.

* Click **Save**. ### Create Users and Assign Roles * Navigate to **Users** and click **Add User**.

* Fill in the required details and click **Create**. * Open the created username to access User Details. * Go to the **Role Mappings** tab.

* In **Client Roles**, select the relevant client.

* Assign the created role (e.g., `OE_ADMIN`) and click **Assign**.

### Configure Client Scopes * Navigate to **Client Scopes**.

* Select the predefined **Roles** client scope. * In **Settings**: * Enable **Include in token scope**. * Ensure **First Name, Last Name, and Email Address** are included.

* Click **Save**. ### Enable Client Role Mappers * Navigate to the **Mappers** tab. * Select or create role mappers for the client.

* Set **Client ID** to `oe-keycloak`. * Enable **Add to ID token** for relevant mappers.

* Save the configuration. ### Obtain OpenID Endpoint Configuration * Navigate to **Realm Settings**. * Under the **Endpoints** tab, click **OpenID Endpoint Configuration**.

* Copy the base URL up to `/openid-connect`.

* Save this URL for OvalEdge configuration. ### Configure OvalEdge * Log in to the OvalEdge Application VM. * Open the `oasis.properties` file in the **extprop** folder. * Update or add the following values: * **Client ID:** from Keycloak client setup. * **Client Secret:** from Keycloak client credentials. * **OIDC base URL:** from the OpenID Endpoint Configuration.

* Save and close the file. **Tomcat Configuration:** * Navigate to the Tomcat **bin** folder. For Linux: * Edit `setenv.sh`. * Add: ``` -DOVALEDGE_SECURITY_TYPE=oauth2 ```

* Save and close the file. For Windows: * Open `tomcat9w.exe`. * Go to the **Java** tab. * Add: ``` -DOVALEDGE_SECURITY_TYPE=oauth2 ```

* Click **Apply** and **OK**. **Restart Services:** * Restart the Tomcat service. * Wait 2–4 minutes. * Open the OvalEdge application in a browser.

**Validate Integration:** * Click **Login with Keycloak**. * Enter the Keycloak username and password.

* Upon successful authentication, it will be redirected to the OvalEdge home page.