Configuring Talend Administration Center SSO with Keycloak - 8.0

Talend Big Data
Talend Big Data Platform
Talend Cloud
Talend Data Fabric
Talend Data Integration
Talend Data Management Platform
Talend Data Services Platform
Talend ESB
Talend MDM Platform
Talend Real-Time Big Data Platform
Talend Administration Center
Administration and Monitoring > Managing authorizations
Last publication date

Creating a Talend Administration Center application on Keycloak

This article explains the process to create a Talend Administration Center application on Keycloak identity provider system. It enables users to authenticate with a single sign-on (SSO) point on Keycloak rather than with individual applications on different platforms.

Before you begin

Make sure Keycloak is installed and configured properly:
  • a realm is created,
  • a user is created (with the Security Administrator role if role mapping feature is not used),
  • the user session is open on Keycloak web platform.


  1. Select the Client menu and create a Client:
    • ID: tac
    • Protocol: saml
    Click Save.
  2. From the Settings tab, enable the Always Display in Console and Sign Assertions:
  3. Set parameters as follows:
    • change Name ID Format to email
    • enable the Always Display in Console and Sign Assertions
    • set tac to IDP Initiated SSO URL name. The realm URL is now displayed below.
    • extract/realms/myrealm/protocol/saml/clients/tac and paste it in Base URL field
    • set the Assertion Consumer Service POST Binding URL: http://localhost:8080/org.talend.administrator/ssologin. Then click Save.


If you log on Keycloak account console (http://<host>:<port>/auth/realms/myrealm/account/), you can now see Talend Administration Center in the Applications list:

Configuring Talend Administration Center in IdP-initiated mode with Keycloak

This section describes the configuration steps in Talend Administration Center for SSO with Keycloak as Identity Provider.


  1. On Keycloak web platform, download the Keycloack IDP metadata file from Realm Settings page:
  2. From Talend Administration Center, go to Configuration > SSO and set parameters as follows:
    • Click Launch upload to upload the metadata file
    • Service Provider Entity ID (Keycloak "Client ID"): enter tac
    • IDP Authentication Plugin: select Keycloak. A message displays to enable the Personal Access Token: please follow step 5 of the procedure described in this link.
    • Use Role Mapping: select
      • either true: login to TAC from the identity provider will create/update users with Talend Administration Center roles, attributes name: firstName, lastName, email, tac.projectType, tac.role (for more details, refer to section Configuring Role Mapping )
      • or false: no attributes are obtained from the identity provider, but with the default Security Administrator user that was created earlier, you can assign Talend Administration Center roles to other users created by the identity provider.
  3. Go to Applications page and click Talend Administration Center.

Configuring Role Mapping

This section describes the settings necessary to configure role mapping. The role mapping feature enables to map the application project types and the user roles with those defined in Keycloak identity provider system.

About this task


  1. Make sure Use Role Mapping field in Configuration > SSO is set to true (see step 2 of Configuring Talend Administration Center in IdP-initiated mode with Keycloak).
  2. Open the Mapping Configuration and set the values for:
    • project types
    • roles mapping
  3. Go to Keycloak admin console, create a new user with the default attributes: firstName, lastName and email:
  4. Add other attributes on the user manually: tacProjectType, tacRole:
  5. Add the attributes mapping to Talend Administration Center Client:
    • User Property
    • User Attribute
    • All
  6. Go to Keycloak account console page http://<host>:<port>/auth/realms/myrealm/account/, log in with the newly created user and click the Talend Administration Center application.


Talend Administration Center page opens with the roles defined for the user.

Configuring Talend Administration Center in SP-initiated mode with Keycloak

Linking Talend Administration Center in SP-initiated mode with Keycloak

These steps are performed on Talend Administration Center Configuration > SSO tab.

About this task


  1. Follow Configuring Talend Administration Center with Keycloak as Identity Provider steps.
  2. In the Service Provider Entity URL field, enter the Talend Administration Center SSO Service URL.
    To find this URL, go to your Keycloak realm account and click Clients tab.