Skip to content
Documentation

Opstella Keycloak Single Sign-On Initialisation

For Single Sign-On function of Opstella, certain configuration on Opstella Keycloak must be done beforehand.

This requires you to initialise credentials based on OpenID Connect Protocol. (Client ID, Client Secret)

💡 You need to use Keycloak to create the credentials and then, setup and connect for each of Third-Party Tools/Instruments (DevSecOps Tools, Observlity Tools) while either upon installing or after installation.

Including other various configurations for Single Sign-On to properly function. (This manual will guide you through)

Create Keycloak Clients Creation Overview

Section titled “Create Keycloak Clients Creation Overview”

The following is the list of Keycloak Clients that initialise with credentials based on OpenID Connect Protocol (Client ID, Client Secret), with certain customisation that unique to each of Keycloak Client.

Tool/InstrumentClient NameRequire Client AuthenticationValid redirect URIsValid Post logout redirect URIsWeb origins/Home URL
ArgoCDargocd✅ Yes*** / Leave Empty
DefectDojodefectdojo✅ Yeshttps://defectdojo.${BASE_DOMAIN}/*https://defectdojo.${BASE_DOMAIN}/*https://defectdojo.${BASE_DOMAIN}
SonarQubesonarqube✅ Yeshttps://sonarqube.${BASE_DOMAIN}/*https://sonarqube.${BASE_DOMAIN}/*https://sonarqube.${BASE_DOMAIN}
GitLabgitlab✅ Yeshttps://gitlab.${BASE_DOMAIN}/*https://gitlab.${BASE_DOMAIN}/*https://gitlab.${BASE_DOMAIN}
Harborharbor✅ Yeshttps://harbor.${BASE_DOMAIN}/*https://harbor.${BASE_DOMAIN}/*https://harbor.${BASE_DOMAIN}
Grafanagrafana✅ Yeshttps://grafana.${BASE_DOMAIN}/*https://grafana.${BASE_DOMAIN}/*https://grafana.${BASE_DOMAIN}
Kubernetes APIkubernetes✅ Yes*** / Leave Empty
Vaultvault✅ Yeshttps://vault.${BASE_DOMAIN}/*https://vault.${BASE_DOMAIN}/*https://vault.${BASE_DOMAIN}
Opstellaopstella❌ Nohttps://opstella.${BASE_DOMAIN}/*https://opstella.${BASE_DOMAIN}/*https://opstella.${BASE_DOMAIN}

Finally your Clients in Client List of Keycloak should looks like this.

Keycloak Clients Creation

Section titled “Keycloak Clients Creation”

For example with DefectDojo:

  1. Sign-in to Keycloak with Admin Local Account (admin)

  2. Be sure to do it on your dedicated Keycloak Realm. foobar-opstella

  3. Go to Clients Panel > Click Create client

  4. General settings section, Input the Client Name follow to the table in Overview section.

    <Client Name> in the picture is the placeholder from the table column Client Name.

    Please change the configuration value accordingly with the correct value from the same column in the table.

    For example:

    • Tool/Instrument: DefectDojo
    • Client Name: defectdojo

    Client Name

    Actual Value

    Click Next

  5. Check if Require Client Authentication and configure the Capability config section as follow.

    Require Client Authentication is ✅ Yes

    Require Client Authentication is ❌ No

    Click Next

  6. Input the appropriate URLs for Valid redirect URIs, Valid Post logout redirect URIs, Web origins/Home URL

    Standard Configuration

    * / Leave Empty

    Configure as the picture.

    Click Save

Finished?

Use the below navigation to proceed