Skip to content

Configure the OIDC Identity Provider

SEAL Operator authenticates a user via the OAuth 2.0 and the OpenID Connect protocol. For this, an OIDC identity provider is required.

The Keycloak identity provider is enclosed in delivery with SEAL Operator. Alternatively, you can use another OIDC identity provider.

Literature - OIDC identity provider

For more information about Keycloak and other OIDC identity providers used with the SEAL Systems products, refer to the SEAL Interfaces for OIDC documentation.

Steps with SEAL Operator (When Using Keycloak)

  1. Export the complete configuration of SEAL Operator from Consul to a YAML file in order to ensure that the current configuration settings are used.

    operator config export <filename>.yml --insecure

  2. In the exported file <filename>.yml in the section for all SEAL Operator services, change the value for ID_PROVIDER_NAME and AUTH_ISSUER_URL to the server name <id_provider_server> of the OIDC identity provider. Use the fully-qualified domain name (FQDN) of the OIDC identity provider server.

    env:
  service:
    any:
      tag:
        any:
          ...
          ID_PROVIDER_NAME: https://<id_provider_server>:32769/auth/realms/SEAL
          AUTH_ISSUER_URL: https://<id_provider_server>:32769/auth/realms/SEAL
          ...

  3. Save the <filename>.yml file and re-import it to Consul.

    operator config import <filename>.yml --insecure

Steps with SEAL Operator (When Using Another OIDC Identity Provider)

  1. Export the complete configuration of SEAL Operator from Consul to a YAML file in order to ensure that the current configuration settings are used.

    operator config export <filename>.yml --insecure

  2. In the exported file <filename>.yml in the section for all SEAL Operator services, configure the following keys for the certificate and the client credentials grant:

    env:
  service:
    any:
      tag:
        any:
          ...
          ID_PROVIDER_NAME: <iss_property_in_idp>
          ID_PROVIDER_CERT: <path_and_filename_of_idp_certificate>
          AUTH_CLIENT_ID: <client_id_used_in_idp> (Default: operator)
          AUTH_CLIENT_SECRET: <client_secret_generated_by_idp>
          AUTH_TOKEN_ENDPOINT: <token_endpoint_url_of_idp>
          AUTH_ISSUER_URL: <idp_url>
          ...

  3. In the exported file <filename>.yml in the section for the operator-ui service, configure the following keys for the authorization code grant:

    env:
  service:
    ...
    operator-ui:
      tag:
        any:
        ...
          AUTH_CLIENT_ID: <client_id_used_in_idp> (Default: seal-print-client)
        ...

  4. Save the file <filename>.yml and re-import it to Consul.

    operator config import <filename>.yml --insecure

  5. When using an OIDC identity provider different to the default Keycloak installation from SEAL Systems, the following Windows environment variables have to be set for calling SEAL Operator CLI unless the respective default applies:

Literature - keys

For further information about the keys, refer to the description of the Keys.

Next Step

Continue with: Configure the Fileupload Connector

Back to top