KeyCloak
SUSE Observability Self-hosted
Last updated
SUSE Observability
SUSE Observability Self-hosted
Last updated
SUSE Observability can authenticate using KeyCloak as an authentication provider, you will need to configure both SUSE Observability and KeyCloak to be able to talk to each other. The following sections describe the respective setups.
When using Keycloak as an authentication provider, SUSE Observability will use OIDC (OpenID Connect) to authenticate users. The following diagram describes the authentication flow.
Before you can configure SUSE Observability to authenticate using KeyCloak, you need to add a new client configuration to the KeyCloak Authentication Server. The necessary settings for the client are:
Client ID - The ID of the client that's connecting, we recommend naming this stackstate
Client Protocol - Set to openid-connect
Access Type - Set to confidential, so that a secret is used to establish the connection between KeyCloak and SUSE Observability
Standard Flow Enabled - Set to Enabled
Implicit Flow Enabled - Set to Disabled
Root URL - The root location of SUSE Observability (the same value configured in as base URL of the SUSE Observability configuration
Valid redirect URIs - This should be /loginCallback/*
Base URL - This should point to the root location of SUSE Observability
To configure SUSE Observability to authenticate using KeyCloak, KeyCloak details and user role mapping needs to be added to the file authentication.yaml. For example:
Follow the steps below to configure SUSE Observability to authenticate using KeyCloak:
In authentication.yaml - add details of the KeyCloak authentication provider (see the example above). The KeyCloak specific values can be obtained from the client configuration in KeyCloak:
url - The base URI for the KeyCloak instance
realm - The KeyCloak realm to connect to
authenticationMethod - Set to client_secret_basic, this is currently the only supported value.
clientId - The ID of the KeyCloak client as configured in KeyCloak
secret - The secret attached to the KeyCloak client, which is used to authenticate this client to KeyCloak
redirectUri - Optional: The URI where the login callback endpoint of SUSE Observability is reachable. Populated by default using the stackstate.baseUrl, but can be overridden (must be a fully qualified URL that points to the /loginCallback path)
jwsAlgorithm - Set this to RS256, this is currently the only supported value.
jwtClaims - Optional: The roles or username can be retrieved from a different attribute than the Keycloak default behavior
usernameField - Optional: The field in the OIDC user profile that should be used as the username. By default, this will be the preferred_username.
groupsField - Optional: SUSE Observability will always, and by default only, use the roles Keycloak provides. But it can also add roles from the field specified here. This is mainly useful when Keycloak is mapping roles/groups from a third-party system.
Store the file authentication.yaml together with the values.yaml file from the SUSE Observability installation instructions.
Run a Helm upgrade to apply the changes:
In authentication.yaml - map user roles from KeyCloak to the correct SUSE Observability subjects using the roles.guest, roles.powerUser or roles.admin settings (see the example above). For details, see the . More SUSE Observability roles can also be created, see the .
When the keycloak secrets should come from an external secret, follow but fill in the following data:
