Enabling Keycloak as an OIDC provider for Connections

Single sign-on is accomplished by setting up a trust relationship between the Connections server and Keycloak using the IBM WebSphere OpenID Connect Relying Party Trust Association Interceptor (OIDC Relying Party TAI).

For background on OIDC (OpenID Connect), you can see these topics in the IBM documentation for WebSphere Application Server:

• OpenID Connect overview
• Configuring an OpenID Relying Party

Enabling Keycloak as an OIDC Provider for Connections in Connections involves completing three major steps:

• Configuring Keycloak as an OIDC Provider for Connections
• Updating WebSphere to support Keycloak OIDC Authentication for Connections
• Configuring Connections to support Keycloak

Note

You will use values from the Keycloak configuration when configuring the WebSphere TAI and other WebSphere Global Security configurations.

• Configuring Keycloak as an OIDC Provider for Connections
  Configuring Keycloak as the OIDC provider for Connections involves a set of configurations that need to be carried out.
• Updating WebSphere to support Keycloak OIDC Authentication for Connections Single sign-on is accomplished by setting up a trust relationship between the Connections server and Keycloak using the WebSphere OpenID Connect Relying Party Trust Association Interceptor (OIDC Relying Party TAI).
• Configuring Connections to support Keycloak OIDC Authentication Update HCL Connections configuration files to add the properties needed to support Keycloak OIDC authentication.

Important

If RichTextEditors is installed in your environment, verify the application's role mapping after enabling Keycloak OIDC. In some cases, the RichTextEditors application requires the Everyone role mapping to be set to "None" to avoid unintended editor access issues after migration.

Parent topic: Configuring single sign-on