Configuring Talend Administration Center SSO with Keycloak - 8.0

This article explains the process to create a Talend Administration Center application on Keycloak identity provider system. It enables users to authenticate with a single sign-on (SSO) point on Keycloak rather than with individual applications on different platforms.

1. Select the Client menu and create a Client:
   • ID: tac
   • Protocol: saml
   
   Click Save.
2. From the Settings tab, enable the Always Display in Console and Sign Assertions:
   
3. Set parameters as follows:
   • change Name ID Format to email
   • enable the Always Display in Console and Sign Assertions
   • set tac to IDP Initiated SSO URL name. The realm URL is now displayed below.
   • extract/realms/myrealm/protocol/saml/clients/tac and paste it in Base URL field
   • set the Assertion Consumer Service POST Binding URL: http://localhost:8080/org.talend.administrator/ssologin. Then click Save.
   

Results

If you log on Keycloak account console (http://<host>:<port>/auth/realms/myrealm/account/), you can now see Talend Administration Center in the Applications list:

This section describes the configuration steps in Talend Administration Center for SSO with Keycloak as Identity Provider.

1. On Keycloak web platform, download the Keycloack IDP metadata file from Realm Settings page:
   
2. From Talend Administration Center, go to Configuration > SSO and set parameters as follows:
   • Click Launch upload to upload the metadata file
   • Service Provider Entity ID (Keycloak "Client ID"): enter tac
   • IDP Authentication Plugin: select Keycloak. A message displays to enable the Personal Access Token: please follow step 5 of the procedure described in this link.
   • Use Role Mapping: select
     • either true: login to TAC from the identity provider will create/update users with Talend Administration Center roles, attributes name: firstName, lastName, email, tac.projectType, tac.role (for more details, refer to section Configuring Role Mapping )
     • or false: no attributes are obtained from the identity provider, but with the default Security Administrator user that was created earlier, you can assign Talend Administration Center roles to other users created by the identity provider.
   
3. Go to Applications page and click Talend Administration Center.

This section describes the settings necessary to configure role mapping. The role mapping feature enables to map the application project types and the user roles with those defined in Keycloak identity provider system.

1. Make sure Use Role Mapping field in Configuration > SSO is set to true (see step 2 of Configuring Talend Administration Center in IdP-initiated mode with Keycloak).
2. Open the Mapping Configuration and set the values for:
   • project types
   • roles mapping
   
3. Go to Keycloak admin console, create a new user with the default attributes: firstName, lastName and email:
   
4. Add other attributes on the user manually: tacProjectType, tacRole:
   
5. Add the attributes mapping to Talend Administration Center Client:
   • User Property
     
   • User Attribute
     
     
   • All
     
6. Go to Keycloak account console page http://<host>:<port>/auth/realms/myrealm/account/, log in with the newly created user and click the Talend Administration Center application.

These steps are performed on Talend Administration Center Configuration > SSO tab.

1. Follow Configuring Talend Administration Center with Keycloak as Identity Provider steps.
2. In the Service Provider Entity URL field, enter the Talend Administration Center SSO Service URL.
   To find this URL, go to your Keycloak realm account and click Clients tab.