Setting up Keycloak for IAM

## Introduction Learn how to deploy and configure Keycloak as an Identity and Access Management (IAM) solution on Atlas Cloud. This guide will walk you through setting up Keycloak using the web interface for centralized user authentication and authorization. ## Prerequisites Before you begin, ensure you have: - An Atlas Cloud account with admin privileges - A Virtual Machine instance (see [[Creating your first cloud service]]) - A public IP address assigned to your VM - Basic knowledge of Linux command line ## Create a Virtual Machine for Keycloak If you haven't already created a VM, follow our guide in [[Creating your first cloud service]]. It will cover the VM prerequisites. **Keycloak Requirements**: When creating your VM, ensure: - **Template**: Ubuntu 24.04 LTS - **CPU**: 2 cores minimum - **Memory**: 4 GiB minimum - **Root Disk**: 20 GiB minimum ## Install Java and Keycloak Connect to your VM via SSH and install the required components: ### 1. Update System Packages ```bash sudo apt update && sudo apt upgrade -y ``` ### 2. Install Java 21 Keycloak requires Java 17 or later: ```bash sudo apt install openjdk-21-jdk -y java -version ``` ### 3. Download and Install Keycloak ```bash # Download Keycloak wget https://github.com/keycloak/keycloak/releases/download/23.0.0/keycloak-23.0.0.tar.gz # Extract the archive tar -xzf keycloak-23.0.0.tar.gz sudo mv keycloak-23.0.0 /opt/keycloak sudo chown -R $USER:$USER /opt/keycloak ``` ## Configure Keycloak ### 1. Set Up Admin User ```bash cd /opt/keycloak ./bin/kc.sh start-dev --http-port=8080 & ``` Wait for Keycloak to start, then create an admin user: ```bash ./bin/add-user-keycloak.sh -u admin -p 'YourSecurePassword123!' ``` ### 2. Configure Keycloak for Production Create a configuration file: ```bash nano /opt/keycloak/conf/keycloak.conf ``` Add the following configuration: ```properties # Database configuration db=postgres db-url=jdbc:postgresql://localhost:5432/keycloak db-username=keycloak db-password=keycloak_password # Network configuration http-port=8080 https-port=8443 hostname=keycloak.your-domain.com # Production mode production-mode=true ``` ### 3. Install PostgreSQL (Recommended for Production) ```bash sudo apt install postgresql postgresql-contrib -y sudo -u postgres psql ``` In PostgreSQL shell: ```sql CREATE USER keycloak WITH PASSWORD 'keycloak_password'; CREATE DATABASE keycloak OWNER keycloak; GRANT ALL PRIVILEGES ON DATABASE keycloak TO keycloak; \q ``` ## Start Keycloak Service ### 1. Create a Systemd Service ```bash sudo nano /etc/systemd/system/keycloak.service ``` Add the following content: ```ini [Unit] Description=Keycloak Server After=network.target [Service] Type=idle User=keycloak Group=keycloak ExecStart=/opt/keycloak/bin/kc.sh start TimeoutStartSec=600 TimeoutStopSec=600 [Install] WantedBy=multi-user.target ``` ### 2. Create Keycloak User ```bash sudo useradd -r -s /bin/false keycloak sudo chown -R keycloak:keycloak /opt/keycloak ``` ### 3. Enable and Start the Service ```bash sudo systemctl daemon-reload sudo systemctl enable keycloak sudo systemctl start keycloak sudo systemctl status keycloak ``` ## Configure Firewall Open the necessary ports: ```bash sudo ufw allow 8080/tcp sudo ufw allow 8443/tcp sudo ufw reload ``` ## Access Keycloak Admin Console 1. Open your web browser and navigate to `http://your-vm-ip:8080` 2. Click "Administration Console" 3. Log in with the admin credentials you created earlier 4. You're now in the Keycloak admin console! ## Basic IAM Configuration ### 1. Create a New Realm 1. Hover over "Master" in the top-left corner and click "Add realm" 2. Enter a realm name (e.g., "my-app") 3. Click "Create" ### 2. Create Users 1. Navigate to "Users" in the left menu 2. Click "Add user" 3. Fill in user details: - **Username**: john.doe - **Email**: <[email protected]> - **First Name**: John - **Last Name**: Doe 4. Click "Save" 5. Go to the "Credentials" tab and set a password ### 3. Create Roles 1. Navigate to "Roles" in the left menu 2. Click "Add Role" 3. Enter role name (e.g., "admin", "user", "readonly") 4. Click "Save" ### 4. Assign Roles to Users 1. Go to "Users" and select a user 2. Click "Role mapping" tab 3. Select roles from "Available Roles" and click "Add selected" ### 5. Create a Client Application 1. Navigate to "Clients" in the left menu 2. Click "Create" 3. Configure client settings: - **Client ID**: my-web-app - **Client Protocol**: openid-connect - **Root URL**: <http://localhost:3000> 4. Click "Save" 5. Set "Access Type" to "confidential" for server applications or "public" for SPA/mobile apps ## Next Steps Your Keycloak IAM server is now ready! You can: - Integrate your applications using OpenID Connect or SAML - Configure social identity providers (Google, GitHub, etc.) - Set up multi-factor authentication - Configure user federation with LDAP or Active Directory For more advanced configuration, refer to the [Keycloak documentation](https://www.keycloak.org/documentation). Congratulations! You've successfully deployed Keycloak as your IAM solution on Atlas Cloud 🎉