Skip to content
Documentation

Opstella Keycloak Single Sign-On Post-Initialisation Settings

💡 Continue from Keycloak Client Creation.

Keycloak Clients General Customisation Overview

Section titled “Keycloak Clients General Customisation Overview”

The following is the list of Keycloak Clients that require certain configuration unique to the client.

Tool/InstrumentClient NameBackchannel logout session requiredBackchannel logout revoke offline sessionsFull scope allowedExclude Issuer From Authentication Response
ArgoCDargocd✅ Yes✅ Yes✅ Yes❌ No
DefectDojodefectdojo✅ Yes❌ No❌ No❌ No
SonarQubesonarqube✅ Yes❌ No✅ Yes❌ No
GitLabgitlab✅ Yes❌ No✅ Yes❌ No
Harborharbor✅ Yes✅ Yes✅ Yes❌ No
Grafanagrafana✅ Yes❌ No✅ Yes❌ No
Kubernetes APIkubernetes✅ Yes❌ No✅ Yes❌ No
Vaultvault✅ Yes✅ Yes✅ Yes❌ No
Opstellaopstella✅ Yes❌ No✅ Yes✅ Yes

Selecting a Client

Section titled “Selecting a Client”

  1. Go to Clients Panel > Click one of the client (Same name as Client Name) by Client ID column

    Client List

    Selected a Client

Backchannel logout (Logout Settings)

Section titled “Backchannel logout (Logout Settings)”

  1. Select a Client

  2. Go to Logout settings section > Make the switches on/off follow to the table: ✅ Yes: On / ❌ No: Off

    Client NameLogout session requiredRevoke offline sessions
    argocd✅ Yes✅ Yes
    defectdojo✅ Yes❌ No
    sonarqube✅ Yes❌ No
    gitlab✅ Yes❌ No
    harbor✅ Yes✅ Yes
    grafana✅ Yes❌ No
    kubernetes✅ Yes❌ No
    vault✅ Yes✅ Yes
    opstella✅ Yes❌ No

Full scope allowed

Section titled “Full scope allowed”

💡 By default, Full scope allowed settings is ✅ Yes: On. Adjust accordingly if necessary.

  1. Select a Client that require attention for Full scope allowed

  2. Go to Client scopes Tab > selection XYZ-dedicated; where XYZ is the name of client

  3. Go to Scopes Tab > Make the switches on/off follow to the table: ✅ Yes: On / ❌ No: Off

    Client NameFull scope allowed
    argocd✅ Yes
    defectdojo❌ No
    sonarqube✅ Yes
    gitlab✅ Yes
    harbor✅ Yes
    grafana✅ Yes
    kubernetes✅ Yes
    vault✅ Yes
    opstella✅ Yes

Exclude Issuer From Authentication Response

Section titled “Exclude Issuer From Authentication Response”

💡 By default, Exclude Issuer From Authentication Response settings is ❌ No: Off. Adjust accordingly if necessary.

  1. Select a Client that require attention for Full scope allowed

  2. Go to Advanced Tab > Go to OpenID Connect Compatibility Modes

  3. Make the switches on/off follow to the table: ✅ Yes: On / ❌ No: Off

    Client NameExclude Issuer From Authentication Response
    argocd❌ No
    defectdojo❌ No
    sonarqube❌ No
    gitlab❌ No
    harbor❌ No
    grafana❌ No
    kubernetes❌ No
    vault❌ No
    opstella✅ Yes

Keycloak Clients Mapper Configuration Overview

Section titled “Keycloak Clients Mapper Configuration Overview”

For Keycloak to provide application the permissions of a user correctly, this requires Mapper to be configured.

The following is the list of Keycloak Clients that each section will be its Mapper type.

  • ArgoCD
  • SonarQube
  • GitLab
  • Harbor
  • Grafana
  • Kubernetes API
  • Vault

Keycloak Clients Mapper Configuration

Section titled “Keycloak Clients Mapper Configuration”

Group Mapper

Section titled “Group Mapper”

Associate EACH client with Group Membership as groups Token Claim

  • Full group path: ❌ No
  • Add to ID Token: ✅ Yes
  • Add to Access Token: ✅ Yes
  • Add to userinfo: ✅ Yes

  1. Select a Client that require attention for Full scope allowed

  2. Go to Client scopes Tab > selection XYZ-dedicated; where XYZ is the name of client

  3. Click Add mapper > Click By configuration

  4. Choose Group Membership

  5. Configure as follow

    • Full group path: ❌ No
    • Add to ID Token: ✅ Yes
    • Add to Access Token: ✅ Yes
    • Add to userinfo: ✅ Yes

Finished?

Use the below navigation to proceed