Skip to content

Configuring Predefined Clients


Configuring the Redirection URL in the Identity Provider

In the identity provider, configure the URLs for redirecting.

  1. In your Web browser, open the Keycloak user interface: https://localhost:32769

  2. Open the Administration Console.

  3. Log on with the pre-configured admin user and SealAdmin1 password.

  4. In the left upper corner, select the "SEAL" realm, if necessary.

  5. In the Manage menu on the left, select Clients to open the client list.

    Client list

  6. In the Client ID column, select the client you wish to configure.

    For a list of currently available clients, see SEAL Clients.

  7. In the Settings tab, go to section Access settings.

    Access settings

  8. In Valid Redirect URIs, replace localhost with the server name on which the selected client is installed.

    with:

    • Valid Redirect URIs:

      URLs to which the user is redirected after a successful logon.

    Example

    1. PLOSSYS Administrator redirects to Keycloak to do the authentication.

    2. Authentication in Keycloak

    3. Keycloak redirects back to PLOSSYS Administrator.

    Caution - lower case

    The server name in Valid Redirect URIs has to be specified in lower case.

  9. In Web Origins, enter the same server name as used in Valid Redirect URIs.

    with:

    • Web Origins:

      URLs for which Cross-Origin Resource Sharing (CORS) is allowed.

  10. Save the settings.

  11. Repeat the steps 4-9 for any other client you whish to configure.

    For a list of currently available clients, see SEAL Clients.


Background Knowledge

JSON Web Token

The clients receive the user's identity encoded in a secure JSON Web Token (JWT), named ID token. It is issued by the identity server, here Keycloak, and obtained via standard OAuth 2.0 Code Flow supporting Web applications.

For example, a JWT contains:

{
  "name": "hugo",
  "preferred_username": "Hugo",
  "given_name": "Hugo",
  "family_name": "",
  "email": "hugo@sealsystems.de",
  "iat": 1546860576,
  "exp": 1572780576,
  "iss": "https://<server_name>:32769/realms/seal-operator",
  "sub": "hugos-id"
}

Relationship Between the Settings

The issuer property (iss) in the ID token is a unique name created by the identity provider. Its value is an arbitrary string, which is different for each identity provider and has to be determined individually.

If you use Keycloak as identity provider, the value contains the URL by which the service can be accessed through the network. Therefore, the value in the example above will change, if the service is accessed from a different device than localhost.

Caution - identical configurations

For security reasons, the ID_PROVIDER_NAME configuration in the above example has to be identical to the iss entry in the ID token and has to be configured appropriatley.

The AUTH_ISSUER_URL contains a URL pointing to the address by which the identity server can be accessed through the network.

If you use Keycloak as identity provider, the value in AUTH_ISSUER_URL is identical to the one in ID_PROVIDER_NAME.


Back to top