Configuring Talend Administration Center SSO with Keycloack - 8.0

English (United States)
Talend Big Data
Talend Big Data Platform
Talend Cloud
Talend Data Fabric
Talend Data Integration
Talend Data Management Platform
Talend Data Services Platform
Talend ESB
Talend MDM Platform
Talend Real-Time Big Data Platform
Talend Administration Center
Administration and Monitoring > Managing authorizations

Creating a Talend Administration Center application on Keycloack

This article explains the process to create a Talend Administration Center application on Keycloack identity provider system. It enables users to authenticate with a single sign-on (SSO) point on Keycloack rather than with individual applications on different platforms.

Before you begin

Make sure Keycloack is installed and configured properly:
  • a realm is created,
  • a user is created (with the Security Administrator role if role mapping feature is not used),
  • the user session is open on Keycloack web platform.


  1. Select the Client menu and create a Client:
    • ID: tac
    • Protocol: saml
    Click Save.
  2. From the Settings tab, enable the Always Display in Console and Sign Assertions:
  3. Set parameters as follows:
    • change Name ID Format to email
    • enable the Always Display in Console and Sign Assertions
    • set tac to IDP Initiated SSO URL name. The realm URL is now displayed below.
    • extract/realms/myrealm/protocol/saml/clients/tac and paste it in Base URL field
    • set the Assertion Consumer Service POST Binding URL: http://localhost:8080/org.talend.administrator/ssologin. Then click Save.


If you log on Keycloack account console (http://<host>:<port>/auth/realms/myrealm/account/), you can now see Talend Administration Center in the Applications list:

Configuring Talend Administration Center

This section describes the configuration steps in Talend Administration Center for SSO with Keycloack.


  1. On Keycloack web platform, download the Keycloack IDP metadata file from Realm Settings page:
  2. From Talend Administration Center, go to Configuration > SSO and set parameters as follows:
    • Click Launch upload to upload the metadata file
    • Service Provider Entity ID (Keycloak "Client ID"): enter tac
    • IDP Authentication Plugin: select Keycloack. A message displays to enable the Personal Access Token: please follow step 5 of the procedure described in this link.
    • Use Role Mapping: select
      • either true: login to TAC from the identity provider will create/update users with Talend Administration Center roles, attributes name: firstName, lastName, email, tac.projectType, tac.role (for more details, refer to section Configuring Role Mapping )
      • or false: no attributes are obtained from the identity provider, but with the default Security Administrator user that was created earlier, you can assign Talend Administration Center roles to other users created by the identity provider.
  3. Go to Applications page and click Talend Administration Center.

Configuring Role Mapping

This section describes the settings necessary to configure role mapping. The role mapping feature enables to map the application project types and the user roles with those defined in Keycloack identity provider system.

About this task


  1. Make sure Use Role Mapping field in Configuration > SSO is set to true (see step 2 of Configuring Talend Administration Center).
  2. Open the Mapping Configuration and set the values for:
    • project types
    • roles mapping
  3. Go to Keycloack admin console, create a new user with the default attributes: firstName, lastName and email:
  4. Add other attributes on the user manually: tacProjectType, tacRole:
  5. Add the attributes mapping to Talend Administration Center Client:
    • User Property
    • User Attribute
    • All
  6. Go to Keycloack account console page http://<host>:<port>/auth/realms/myrealm/account/, log in with the newly created user and click the application Talend Administration Center.


Talend Administration Center page opens with the roles defined for the user.