Skip to content

Configure the OIDC Identity Provider


SEAL Operator authenticates a user via the OAuth 2.0 and the OpenID Connect protocol. For this, an OIDC identity provider is required.

A preconfigured Keycloak identity provider is provided by SEAL Systems for test purposes. In practice, another OIDC identity provider already installed at the customer's will be used for the user authentication and authorization.

Literature - OIDC identity provider

For more information about Keycloak and other OIDC identity providers used with the SEAL Systems products, refer to the SEAL Interfaces for OIDC documentation.


Steps with SEAL Operator (When Using Keycloak)

  1. Export the complete configuration of SEAL Operator from Consul to a YAML file in order to ensure that the current configuration settings are used.

    operator config export <filename>.yml --insecure
    
  2. In the exported file <filename>.yml in the section for all SEAL Operator services, change the value for ID_PROVIDER_NAME and AUTH_ISSUER_URL to the server name <id_provider_server> of the OIDC identity provider. Use the fully-qualified domain name (FQDN) of the OIDC identity provider server.

    env:
      service:
        any:
          tag:
            any:
              ...
              ID_PROVIDER_NAME: https://<id_provider_server>:32769/auth/realms/SEAL
              AUTH_ISSUER_URL: https://<id_provider_server>:32769/auth/realms/SEAL
              ...
    
  3. Save the <filename>.yml file and re-import it to Consul.

    operator config import <filename>.yml --insecure
    

Steps with SEAL Operator (When Using Another OIDC Identity Provider)

  1. Export the complete configuration of SEAL Operator from Consul to a YAML file in order to ensure that the current configuration settings are used.

    operator config export <filename>.yml --insecure
    
  2. In the exported file <filename>.yml in the section for all SEAL Operator services, configure the following keys for the certificate and the client credentials grant:

    env:
      service:
        any:
          tag:
            any:
              ...
              ID_PROVIDER_NAME: <iss_property_in_idp>
              ID_PROVIDER_CERT: <path_and_filename_of_idp_certificate>
              AUTH_CLIENT_ID: <client_id_used_in_idp> (Default: operator)
              AUTH_CLIENT_SECRET: <client_secret_generated_by_idp>
              AUTH_TOKEN_ENDPOINT: <token_endpoint_url_of_idp>
              AUTH_ISSUER_URL: <idp_url>
              ...
    
  3. In the exported file <filename>.yml in the section for the operator-ui service, configure the following keys for the authorization code grant:

    env:
      service:
        ...
        operator-ui:
          tag:
            any:
            ...
              AUTH_CLIENT_ID: <client_id_used_in_idp> (Default: seal-print-client)
            ...
    
  4. Save the file <filename>.yml and re-import it to Consul.

    operator config import <filename>.yml --insecure
    
  5. When using an OIDC identity provider different to the preconfigured Keycloak installation from SEAL Systems, the following Linux environment variables have to be set for calling SEAL Operator CLI unless the respective default applies:

Literature - keys

For further information about the keys, refer to the description of the Keys.


Next Step

Continue with: Configure the Fileupload Connector


Back to top