Configure the OIDC Identity Provider¶
SEAL Operator authenticates a user via the OAuth 2.0 and the OpenID Connect protocol. For this, an OIDC identity provider is required.
The Keycloak identity provider is enclosed in delivery with SEAL Operator. Alternatively, you can use another OIDC identity provider.
Literature - OIDC identity provider
For more information about Keycloak and other OIDC identity providers used with the SEAL Systems products, refer to the SEAL Interfaces for OIDC documentation.
Steps with SEAL Operator (When Using Keycloak)¶
-
Export the complete configuration of SEAL Operator from Consul to a YAML file in order to ensure that the current configuration settings are used.
operator config export <filename>.yml --insecure
-
In the exported file
<filename>.yml
in the section for all SEAL Operator services, change the value forID_PROVIDER_NAME
andAUTH_ISSUER_URL
to the server name<id_provider_server>
of the OIDC identity provider. Use the fully-qualified domain name (FQDN) of the OIDC identity provider server.env: service: any: tag: any: ... ID_PROVIDER_NAME: https://<id_provider_server>:32769/auth/realms/SEAL AUTH_ISSUER_URL: https://<id_provider_server>:32769/auth/realms/SEAL ...
-
Save the
<filename>.yml
file and re-import it to Consul.operator config import <filename>.yml --insecure
Steps with SEAL Operator (When Using Another OIDC Identity Provider)¶
-
Export the complete configuration of SEAL Operator from Consul to a YAML file in order to ensure that the current configuration settings are used.
operator config export <filename>.yml --insecure
-
In the exported file
<filename>.yml
in the section for all SEAL Operator services, configure the following keys for the certificate and the client credentials grant:env: service: any: tag: any: ... ID_PROVIDER_NAME: <iss_property_in_idp> ID_PROVIDER_CERT: <path_and_filename_of_idp_certificate> AUTH_CLIENT_ID: <client_id_used_in_idp> (Default: operator) AUTH_CLIENT_SECRET: <client_secret_generated_by_idp> AUTH_TOKEN_ENDPOINT: <token_endpoint_url_of_idp> AUTH_ISSUER_URL: <idp_url> ...
-
In the exported file
<filename>.yml
in the section for theoperator-ui
service, configure the following keys for the authorization code grant:env: service: ... operator-ui: tag: any: ... AUTH_CLIENT_ID: <client_id_used_in_idp> (Default: seal-print-client) ...
-
Save the file
<filename>.yml
and re-import it to Consul.operator config import <filename>.yml --insecure
-
When using an OIDC identity provider different to the default Keycloak installation from SEAL Systems, the following Windows environment variables have to be set for calling SEAL Operator CLI unless the respective default applies:
AUTH_CLIENT_ID
: Client name configured in the OIDC identity provider for retrieving the access tokenAUTH_CLIENT_SECRET
: Client secret for retrieving the OIDC identity provider's access tokenAUTH_ISSUER_URL
: OIDC issuer URL
Literature - keys
For further information about the keys, refer to the description of the Keys.
Next Step¶
Continue with: Configure the Fileupload Connector