Skip to main content
Version: 5.5

Configuring an OpenID client for BlueMind with a third-party Keycloak

Introduction

OpenID Connect (OIDC) is an identity layer built on the OAuth 2.0 protocol, enabling a user to authenticate to an authorization server, such as Keycloak, via a secure, standard process.

Where OIDC simplifies the identity management process, Keycloak is an authentication solution.

In Keycloak, a "client" is an application that interacts with Keycloak to authenticate or access securely protected resources, and to manage user sessions.

As of version 5, BlueMind includes OpenID Connect, making it easy to integrate secure authentication services via OpenID clients. As such, its use in Keycloak is essential for implementing a standardized, secure and interoperable authentication solution in enterprise environments.

note

This operation must be carried out for each BlueMind domain that requires authentication with the third-party Keycloak.

Prerequisites

An external URL must be defined for the supervised domain. For further information see General configuration.

Configuration procedure

Naming

In this guide, we will use the following names as examples:

  • the domain: domain.tld.
  • the url of the BlueMind server: mail.domain.tld
  1. Créer un nouveau royaume (realm) dans Keycloak : ouvrir la liste déroulante en haut à gauche et cliquer sur "Create realm" :

    💡 Pour une meilleure visibilité dans Keycloak, il est préférable de donner au royaume le nom du domaine BlueMind :

  2. Créer le client openID : sélectionner le royaume créé et cliquer sur "Create" (« Créer ») en haut de l'onglet "Clients list" (« Liste des clients ») :
  3. Configurer le client openID de Keycloak puis cliquer sur "Next" (« Suivant ») pour continuer :
    • Client type: select "OpenID Connect" type
    • Client ID: As above, for better visibility, we recommend that you choose the BlueMind domain name as your identifier
    • Name :
    • Description:
    • Always display in UI: activate the selector to display the client in the Keycloak authentication test pattern
  4. Paramétrer les capacités ("Capabilty config") puis cliquer sur "Next" (« Suivant ») pour continuer :
    • Client Authentication: activate the selector to enable authentication - the client (in this case the BlueMind server) will need to provide a secret key to prove its identity during communication.
    • Direct access grant: uncheck this box to prohibit direct access
  5. Paramétrer les connexions ("Login settings") : renseigner l'URL externe du domaine BlueMind (voir la General configuration du domaine) dans tous les champs d'URL puis cliquer sur "Next" (« Suivant ») pour continuer :

Retrieving information from the keycloak adapter

Setting up SSO with an external OpenID authentication server requires 3 client configuration items to be noted.

  1. L'URL du serveur OpenID tiers : se rendre dans "Realm settings" et cliquer sur "OpenID Endpoint Configuration" :
    L'URL est formatée comme suit :
  2. OpenId client identifier and OpenId client secret: go to Manage > Clients > domain.tld , go to the Action menu at the top right of the page and click on "Download adpater config". Une popup s'ouvre contenant la configuration dans laquelle on retrouve les éléments souhaités :
    • resource: OpenID client identifier
    • secret: OpenID client secret

Connecting an external user management source

The "User Federation" section lets you connect and integrate external user management sources, such as an LDAP server or a database, with Keycloak. This allows Keycloak to federate users from existing systems, without having to recreate them in Keycloak :

In the BlueMind context, the third-party keycloak can use LDAP as the main source for managing user information.

In this context, it is recommended that all BlueMind accounts be imported from an LDAP directory.

Find out more

To configure BlueMind, please consult the dedicated documentation: Setting up SSO with an external OpenID authentication server