Using Keycloak for Multifactor Authentication for CTE GuardPoints

Integration with Keycloak requires creating an OIDC connection in CipherTrust Manager, after you create an OIDC template in Keycloak.

Prerequisites

• Have a CipherTrust Manager set up with:

  • Client Profile enabled for Multifactor Authentication

  • Registration token

  • CipherTrust Transparent Encryption host and Keycloak server must have their time's synchronized. If they are not time-synced, then Multifactor Authentication login fails with the following error:

    Failed to verify ID Token: oidc: token is expired (Token Expiry: 2022-11-08 22:42:20 -0800 PST)

On the Keycloak platform

1. Create an admin user.

2. Login to the realm and create one or more users.

3. Create a password for the user.

4. Create an OIDC client in realm with the following settings enabled:

   • Valid Redirect URIs: Configure in the format:

     http://127.0.0.1:<CTE-OIDC-Login-Port>/auth/callback

   • Default value of CTE-OIDC-Login-Port: 5560, if CTE admin changes this port, they must provide the updated value.

   • General Settings:

     • Client Type: OpenID Connect

     • Client ID: Client name

   • Capability Config:

     • Client Authentication: On

     • Authorization: On

     • Authentication Flow: Standard Flow

5. Note three OIDC parameters:

   • Provider URL format:

     • For non-TLS: http://<keycloak-ip>:<keycloak-port>/realms/<realm-name>/.well-known/openid-configuration

     • For TLS: https://<keycloak-ip>:<keycloak-port>/realms/<realm-name>/.well-known/openid-configuration

     Note

     If KeyCloak is configured for TLS, the KeyCloak certificate (if self-signed), or certificate chain, including the root CA, and any intermediate CAs, must be imported into the CipherTrust Transparent Encryption client machine. Import the self-signed certificate as a root CA. CipherTrust Transparent Encryption will fail to connect to the provider if certificates are not imported. To import a certificate: see Importing Certificates Using MMC

   • Client-ID as configured for the OIDC client

   • Client-Secret as shown for the OIDC client

Create an OIDC connection on CipherTrust Manager

1. Log on to the CipherTrust Manager GUI as an administrator.

2. In the left pane, click Access Management > Connections.

3. In the Connections, click Add Connection.

4. Click OIDC and then click Next.

5. Provide a name for the connection and click Next.

6. Enter values for the configuration information.

   Note

   Refer to your Multifactor Authentication provider profile for the values:

   • URL of OIDC provider:
   Linux

   • For KeyCloak, select the URL of the OIDC provider

   Windows

   • For Thales SafeNet Trusted Access, select Well Known Configuration URL

   • For all other providers, select the URL of the OIDC provider

   • Client-ID as configured for the OIDC client

   • Client-Secret as shown for the OIDC client

7. Click Next and in the Add Products window, select CTE for product.

8. Click Add Connection.