Skip to content

Configuring an External Keycloak


SEAL Systems products use Keycloak as standard identity provider. Keycloak contains various client configurations for PLOSSYS Output Engine and SEAL Operator.

If you prefer to use an external Keycloak, you have to configure your external Keycloak for working with SEAL Systems products.


Preparation

  1. Install Keycloak.

  2. Get a private key/certificate pair from your system administration.


Adding the SEAL Realm

  1. In your Web browser, open the Keycloak Administration Console.

  2. Log on with your user name and password.

  3. Open the Manage realms menu on the left.

    Create realm

  4. Open the Create realm dialog.

  5. In the Create realm dialog, enter SEAL as realm name and confirm with Create.

    create realm dialog


Adding a Key/Certificate Pair

  1. In the list, select the SEAL realm.

  2. In the Realm settings menu on the left, select the Keys tab and then the Add providers tab.

    realm settings providers

  3. Open the Add provider dialog and select rsa as keystore type.

  4. In the new dialog, add the new key/certificate pair by entering the required data:

    • add the name of the provider

    • select a priority higher than 100

    • upload both, key and certificate file.

    add key cert

  5. Save the settings.


Adding SEAL Clients

The following detailed instructions use easyPRIMA as example.

Add other clients in the same way. You will find tables with the necessary settings susequent to the detailed description.

Finally your client list is supposed to look like this:

client list


easyPRIMA Client

  1. Select the Clients menu on the left and click Create client.

    Add client dialog

  2. In the dialog, enter the General settings.

    General Settings
    Client Type OpenID Connect
    Client ID seal-easyprima
    Name easyPRIMA
    Description easyPRIMA client for PLOSSYS Output Engine
    Always display in UI OFF

    Add client easyprima 1 general

  3. Click Next.

  4. In the dialog, enter the Capability config settings.

    Capability config
    Client authentication ON
    Authorization OFF
    Authentication flow: ✔ Standard flow
    ✔ Direct access grants

    Add client easyprima 2 capability

  5. Click Next.

  6. In the dialog, enter the Access settings.

    Access Settings
    Root URL ---
    Home URL ---
    Valid redirect URIs https://localhost:9126/*
    https://localhost:9125/*
    Valid post logout redirect URIs ---
    Web Origins ---

    Add client easyprima 3 access

  7. Click Save.

  8. In the dialog, check the settings, and enter the Login settings in the corresponding section of the list.

    Login Settings
    Login Theme ---
    Consent Required OFF
    Display client on screen OFF
    Consent screen text ---

    Add client easyprima 4 login

  9. Enter the Logout settings at the bottom of the list.

    Logout Settings
    Front channel logout OFF
    Backchannel logout URL ---
    Backchannel logout session required ON
    Backchannel logout revoke offline sessions OFF

    Add client easyprima 5 logout

  10. Save the settings.


PLOSSYS Administrator Client

  1. Select the Clients menu on the left and click Create client.

  2. In the dialog, enter the General settings.

    General Settings
    Client Type OpenID Connect
    Client ID seal-plossysadmin
    Name PLOSSYS Administrator
    Description Angular UI client for PLOSSYS Output Engine
    Always display in UI OFF
  3. Click Next.

  4. In the dialog, enter the Capability config settings.

    Capability config
    Client authentication ON
    Authorization OFF
    Authentication flow: ✔ Standard flow
  5. Click Next.

  6. In the dialog, enter the Access settings.

    Access Settings
    Root URL ---
    Home URL ---
    Valid redirect URIs https://localhost:9000/*
    http://localhost:4200/*
    https://localhost:4200/*
    Valid post logout redirect URIs ---
    Web Origins https://localhost:4200/*
    https://localhost:9000/*
    http://localhost:4200/*
  7. Click Save.

  8. In the dialog, check the settings, and enter the Login settings in the corresponding section of the list.

    Login Settings
    Login Theme ---
    Consent Required OFF
    Display client on screen OFF
    Consent screen text ---
  9. Enter the Logout settings at the bottom of the list.

    Logout Settings
    Front channel logout OFF
    Backchannel logout URL ---
    Backchannel logout session required ON
    Backchannel logout revoke offline sessions OFF
  10. Save the settings.


PLOSSYS CLI Client

  1. Select the Clients menu on the left and click Create client.

  2. In the dialog, enter the General settings.

    General Settings
    Client Type OpenID Connect
    Client ID seal-plossyscli
    Name PLOSSYS CLI
    Description User command line interface for PLOSSYS Output Engine
    Always display in UI OFF
  3. Click Next.

  4. In the dialog, enter the Capability config settings.

    Capability config
    Client authentication ON
    Authorization OFF
    Authentication flow: ✔ Standard flow
    ✔ Direct access grants
  5. Click Next.

  6. In the dialog, enter the Access settings.

    Access Settings
    Root URL ---
    Home URL ---
    Valid redirect URIs https://localhost:1234/*
    Valid post logout redirect URIs ---
    Web Origins ---
  7. Click Save.

  8. In the dialog, check the settings, and enter the Login settings in the corresponding section of the list.

    Login Settings
    Login Theme ---
    Consent Required OFF
    Display client on screen OFF
    Consent screen text ---
  9. Enter the Logout settings at the bottom of the list.

    Logout Settings
    Front channel logout OFF
    Backchannel logout URL ---
    Backchannel logout session required ON
    Backchannel logout revoke offline sessions OFF
  10. Save the settings.


PLOSSYS DocPrint Client

  1. Select the Clients menu on the left and click Create client.

  2. In the dialog, enter the General settings.

    General Settings
    Client Type OpenID Connect
    Client ID seal-mobile-print
    Name PLOSSYS DocPrint
    Description Client for PLOSSYS DocPrint
    Always display in UI OFF
  3. Click Next.

  4. In the dialog, enter the Capability config settings.

    Capability config
    Client authentication ON
    Authorization OFF
    Authentication flow: ✔ Standard flow
    ✔ Direct access grants
  5. Click Next.

  6. In the dialog, enter the Access settings.

    Access Settings
    Root URL ---
    Home URL ---
    Valid redirect URIs https://localhost:8090/*
    Valid post logout redirect URIs ---
    Web Origins ---
  7. Click Save.

  8. In the dialog, check the settings, and enter the Login settings in the corresponding section of the list.

    Login Settings
    Login Theme ---
    Consent Required OFF
    Display client on screen OFF
    Consent screen text ---
  9. Enter the Logout settings at the bottom of the list.

    Logout Settings
    Front channel logout OFF
    Backchannel logout URL ---
    Backchannel logout session required ON
    Backchannel logout revoke offline sessions OFF
  10. Save the settings.


PLOSSYS Infoclient Client

  1. Select the Clients menu on the left and click Create client.

  2. In the dialog, enter the General settings.

    General Settings
    Client Type OpenID Connect
    Client ID seal-infoclient
    Name PLOSSYS Infoclient
    Description PLOSSYS Infoclient for {{ PLOSSYS_4 }} and PLOSSYS Output Engine
    Always display in UI OFF
  3. Click Next.

  4. In the dialog, enter the Capability config settings.

    Capability config
    Client authentication ON
    Authorization OFF
    Authentication flow: ✔ Service accounts roles
  5. Click Next.

  6. In the dialog, enter the Access settings.

    Access Settings
    Root URL ---
    Home URL ---
    Admin URL ---
  7. Click Save.

  8. In the dialog, check the settings, and enter the Login settings in the corresponding section of the list.

    Login Settings
    Login Theme ---
    Consent Required OFF
    Display client on screen OFF
    Consent screen text ---
  9. Enter the Logout settings at the bottom of the list.

    Logout Settings
    Front channel logout OFF
    Backchannel logout URL ---
    Backchannel logout session required ON
    Backchannel logout revoke offline sessions OFF
  10. Save the settings.


SEAL OP-CLI Client

  1. Select the Clients menu on the left and click Create client.

  2. In the dialog, enter the General settings.

    General Settings
    Client Type OpenID Connect
    Client ID seal-opcli
    Name SEAL OP-CLI
    Description User command line interface for SEAL Operator
    Always display in UI OFF
  3. Click Next.

  4. In the dialog, enter the Capability config settings.

    Capability config
    Client authentication ON
    Authorization OFF
    Authentication flow: ✔ Standard flow
    ✔ Direct access grants
  5. Click Next.

  6. In the dialog, enter the Access settings.

    Access Settings
    Root URL ---
    Home URL ---
    Valid redirect URIs https://localhost:1234/*
    Valid post logout redirect URIs ---
    Web Origins ---
  7. Click Save.

  8. In the dialog, check the settings, and enter the Login settings in the corresponding section of the list.

    Login Settings
    Login Theme ---
    Consent Required OFF
    Display client on screen OFF
    Consent screen text ---
  9. Enter the Logout settings at the bottom of the list.

    Logout Settings
    Front channel logout OFF
    Backchannel logout URL ---
    Backchannel logout session required ON
    Backchannel logout revoke offline sessions OFF
  10. Save the settings.


SEAL Operator Client

  1. Select the Clients menu on the left and click Create client.

  2. In the dialog, enter the General settings.

    General Settings
    Client Type OpenID Connect
    Client ID seal-print-client
    Name SEAL Operator
    Description Angular UI client for SEAL Operator
    Always display in UI OFF
  3. Click Next.

  4. In the dialog, enter the Capability config settings.

    Capability config
    Client authentication ON
    Authorization OFF
    Authentication flow: ✔ Standard flow
    ✔ Direct access grants
  5. Click Next.

  6. In the dialog, enter the Access settings.

    Access Settings
    Root URL ---
    Home URL ---
    Valid redirect URIs https://localhost:3000/*
    Valid post logout redirect URIs ---
    Web Origins https://localhost:3000
  7. Click Save.

  8. In the dialog, check the settings, and enter the Login settings in the corresponding section of the list.

    Login Settings
    Login Theme ---
    Consent Required OFF
    Display client on screen OFF
    Consent screen text ---
  9. Enter the Logout settings at the bottom of the list.

    Logout Settings
    Front channel logout OFF
    Backchannel logout URL ---
    Backchannel logout session required ON
    Backchannel logout revoke offline sessions OFF
  10. Save the settings.


Web Portal Client

  1. Select the Clients menu on the left and click Create client.

  2. In the dialog, enter the General settings.

    General Settings
    Client Type OpenID Connect
    Client ID seal-webportal
    Name Web Portal
    Description Web Portal client for internal communication
    Always display in UI OFF
  3. Click Next.

  4. In the dialog, enter the Capability config settings.

    Capability config
    Client authentication ON
    Authorization OFF
    Authentication flow: ✔ Service accounts roles
  5. Click Next.

  6. In the dialog, enter the Access settings.

    Access Settings
    Root URL ---
    Home URL ---
    Admin URL ---
  7. Click Save.

  8. In the dialog, check the settings, and enter the Login settings in the corresponding section of the list.

    Login Settings
    Login Theme ---
    Consent Required OFF
    Display client on screen OFF
    Consent screen text ---
  9. Enter the Logout settings at the bottom of the list.

    Logout Settings
    Front channel logout OFF
    Backchannel logout URL ---
    Backchannel logout session required ON
    Backchannel logout revoke offline sessions OFF
  10. Save the settings.


Configuring SEAL Clients

Usually you do this part of the configuration by environment variables on the client side.

You need the following data to set up SEAL Operator and PLOSSYS Output Engine clients:

  • issuer url

  • issuer name

  • all client id's

  • all client secrets

You will find an example in Configuring Other Identity Providers.


Back to top