Keycloak integrations

Prev Next

Available in Classic and VPC

This section describes how to integrate Keycloak, an open source based user account management and permissions management solution, with NAVER Cloud Platform. Users within the organization can log into the NAVER Cloud Platform console with the Keycloak account being used and utilize the services within the granted permissions.

The sequence of integrating NAVER Cloud Platform accounts and Keycloak accounts is as follows:

1. Copy Keycloak metadata.
2. Register external IdP information from NAVER Cloud Platform.
3. Configure Keycloak authentication.
4. Configure NAVER Cloud Platform authentication.
5. Verify integrations.

1. Copy Keycloak metadata

  1. Access Keycloak and then log in.
  2. Click the dropdown box at the top left of the interface and then click the [Add realm].
  3. Enter a name in Name and then click the [Create].
  4. Click the Realm settings menu on the left of the interface, then click the SAML 2.0 Identity Provider Metadata link in the [General] tab.
  5. Copy the SAML metadata.

2. Register external IdP information from NAVER Cloud Platform

To register Keycloak metadata on NAVER Cloud Platform:

  1. From the NAVER Cloud Platform console, navigate to i_menu > Services > Management & Governance > Ncloud Single Sign-On.
  2. In the Tenant menu, click [Register external IdP].
  3. In the Metadata item, paste the metadata information downloaded from Copy Keycloak metadata, then click the [Save].
    • The sub-information will be entered automatically.
  4. Click the [Register].
  5. In the External IdP login component of the Tenant menu, click the Service Provider Metadata.
  6. Click the [Download].

3. Configure Keycloak authentication

This section describes how to create a client to perform authentication in Keycloak, add users to be integrated with NAVER Cloud Platform, and define user property information necessary for authentication.

Create client

To create a client:

  1. Access Keycloak and click the Clients menu on the left of the interface.
  2. Click the [Create].
  3. Click the [Select file] in the Import item.
  4. Upload the metadata file downloaded in Register external IdP information on NAVER Cloud Platform.
    • Once the metadata file is uploaded, values are automatically entered in the Client ID information and Client Protocol fields.
  5. In Client SAML Endpoint, enter the Assertion Consumer Service (ACS) URL information copied from Copy SAML integration information.
  6. Click the [Save].
  7. Enter a name in Name and a brief description in Description, then click the [Save].

Copy SAML integration information

To integrate Ncloud Single Sign-On and IdP, you need the Assertion Consumer Service (ACS) URL information, which is the endpoint to receive the SAML response from IdP, and the Issuer URL information to identify the IdP.

To confirm the ACS URL and Issuer URL of NAVER Cloud Platform:

  1. From the NAVER Cloud Platform console, navigate to i_menu > Services > Management & Governance > Ncloud Single Sign-On.
  2. Copy the following information from the External IDP Metadata component in the Tenant menu:
    • Assertion Consumer Service (ACS) URL
    • Issuer URL

Configure attribute mapper

To map user profiles of Keycloak with those of Ncloud Single Sign-On, this defines the user property information to be forwarded from Keycloak to NAVER Cloud Platform.

Note

This guide describes the user property information primarily used in authentication, which are FirstName, LastName, and Email.

To define user property information in Keycloak:

  1. Log in to Keycloak and click the Clients menu on the left of the interface.
  2. Click the [Edit] of the client where the user will be set up.
  3. Click the [Mappers] tab.  
  4. Click the [Create].
  5. Enter the user property information to be connected.
    • Name: Name of the property.
    • Mapper Type: Select User Property.
    • Property: Enter "Email."
    • Friendly Name: Name to display to the user if the property name is encrypted. Optional item.
    • SAML Attribute Name: Enter "Email."
    • SAML Attribute NameFormat: Select Unspecified.
  6. Click the [Save].
  7. Add firstName, lastName properties in the same manner.
Note

"SAML AttributeName" is the value to be entered in External IdP Parameter during the Attribute Mapper settings in user profile management of Ncloud Single Sign-On service.

Add Keycloak users

  1. Click the User menu on the left side of the interface.
  2. Click the [Add user].
  3. Enter user name in Username and the email to be integrated in Email.
    • Entering an email is not a mandatory item, but as Ncloud Single Sign-On recognizes email as NameID, you must enter the email.
  4. Click the [Save].
    • You will be directed to the user list interface.
  5. Click the ID created in the user list.
  6. Set the user's password in the [Credentials] tab, then click the [Set password].
  7. When the Set password popup appears, click the [Set password].

4. Configure NAVER Cloud Platform authentication

This section describes how to register the Keycloak account to be integrated on the NAVER Cloud Platform console and then map user profiles.

Add SSO user

You need to create an SSO user in the Ncloud Single Sign-On service using the email information of the user created in the Add AWS users step.

You need to create an SSO user in the Ncloud Single Sign-On service using the email information of the user created in the Add Keycloak users step.

To add an SSO user in Ncloud Single Sign-On on NAVER Cloud Platform:

  1. From the NAVER Cloud Platform console, navigate to i_menu > Services > Management & Governance > Ncloud Single Sign-On.
  2. Click External IdP login > Users > [Create user].
  3. For the login ID, enter the email address of the user created in Add Keycloak users, and then click [Create]
Note

For more information about how to create an SSO user in Ncloud Single Sign-On, see Users.

Configure attribute mapper

To link the user property information set in Keycloak to the user property information of Ncloud Single Sign-On service:

  1. From the NAVER Cloud Platform console, navigate to i_menu > Services > Management & Governance > Ncloud Single Sign-On.
  2. Click the Tenant menu.
  3. Click the [Attribute mapper] in the User profile management component.
  4. When the attribute mapper interface appears, enter the registered content in Configure attribute mapping in External IdP parameter.
  5. In sync mode, set the user profile update method.
    • None: Do not update user profile.
    • Import: Update user profiles only at first login.
    • Force: Update the user profile at every login.
  6. Click the [Save].

5. Verify integrations

To verify if the Keycloak account and NAVER Cloud Platform account are integrated:

  1. From the NAVER Cloud Platform console, navigate to i_menu > Services > Management & Governance > Ncloud Single Sign-On.
  2. Copy the Login URL from the Tenant menu, then access the URL.
  3. When the login window appears, enter the email and password, then click the [Sign In].
    • The SSO role switch interface appears.
  4. Click the [Console access] or [API access] on the SSO role switch interface.
    • Depending on the access type set for the logged-in SSO user, the [Console access] or [API Gateway access] button appears.
  5. Click Services > Management & Governance > Ncloud Single Sign-On > External IdP login > User.
  6. Click the [Profile] tab in the details of the logged-in SSO user, then check if the user profile has been updated.