Standalone Keycloak as Identity Provider

• Once archive is secured with Keycloak as explained create Standalone Keycloak as Identity Provider in dcm4che realm.

Standalone Keycloak Installation and Configuration

1. Start the Standalone Keycloak System using docker

    docker run --name keycloak -p 8880:8880 -p 8843:8843 -p 8990:8990 -e HTTP_PORT=8880 -e HTTPS_PORT=8843 -e MANAGEMENT_HTTP_PORT=8990 
    -e KEYCLOAK_ADMIN_USER=admin -e KEYCLOAK_ADMIN_PASSWORD=admin -d dcm4che/keycloak:22.0.4
   

2. Login to this Standalone Keycloak system. Replace <ip> with the hostname/ip where this Standalone Keycloak system is running.

    http://<ip>:8880/auth
   

3. This by default shows dcm4che realm because it is configured to be used with archive. But we will not use this realm, for better understanding.

4. Add a new realm. We name it, for eg, keycloakIdentityProvider. This value will be needed in Steps 5 and 6 of Identity Provider Configuration

5. In this realm, add a client, for eg, keycloakAsIdentityProvider and Save. This Client ID is needed in Step 7 of Identity Provider Configuration

6. On the subsequent page that gets seen, select Access Type as confidential. The value for Valid Redirect URIs should be taken from Step 3 of Identity Provider Configuration and Save.

7. Go to Credentials tab and copy the Client Secret. This will be needed in Step 7 of Identity Provider Configuration

User Configuration

• You may add user(s) in keycloakIdentityProvider realm, which will be used for login via this Standalone Keycloak system.

Certificate Signing Authority

• Keycloak created a key-pair and automatically generated a self-signed certificate, when you created the realm in Step 4 of Standalone Keycloak Installation & Configuration
• To change the default key-pair and certificate to the ones required by your application, refer Adding an existing keypair and certificate

Identity Provider Configuration

1. Login to your Keycloak and go to dcm4che realm.

    http://localhost:8080/auth
   

2. Go to the Identity Providers in your dcm4che realm and Add Provider. Select Keycloak OpenID Connect.

3. The value in Redirect URI field should be used in Step 6 in Standalone Keycloak Installation & Configuration

4. Add value in Alias field. This will be displayed on the Archive UI login page, which will indicate that user has an option to login via Standalone Keycloak System. See point 1 in Verification section.

5. Add value in Authorization URL. Replace the value <ip> in URL below with hostname/ip where the Standalone Keycloak System is running. If you used a different value for realm name in Step 4 of Standalone Keycloak Installation & Configuration, then replace the keycloakIdentityProvider value in the URL below with realm name you used.

    http://<ip>:8880/auth/realms/keycloakIdentityProvider/protocol/openid-connect/auth
   

6. Add value in Token URL. Replace the value <ip> in URL below with hostname/ip where the Standalone Keycloak System is running. If you used a different value for realm name in Step 4 of Standalone Keycloak Installation & Configuration, then replace the keycloakIdentityProvider value in the URL below with realm name you used.

    http://<ip>:8880/auth/realms/keycloakIdentityProvider/protocol/openid-connect/token
   

7. Add the values for Client ID and Client Secret fields from Steps 5 and 7 respectively of Standalone Keycloak Installation & Configuration.

8. The remaining values are kept unchanged and set to default values. Save the Identity Provider Configuration.

Mapper Configuration

1. Once you have added Keycloak as Identity Provider in dcm4che realm in your Keycloak, you will need to create Mapper(s) to assign roles to the users, authenticating themselves via Standalone Keycloak system, to be able to access and/or have modification rights on the archive. Go to the Mappers tab and click Create.
2. Select Hardcoded Role from Mapper Type dropdown.
3. For the Role field Select Role as user. Enter Name for your mapper and Save.
4. If you want users,authenticating themselves via Standalone Keycloak system, to also have admin rights then create a second mapper and repeat steps 2 and 3, except Select Role as admin.

Verification

1. Once the above configurations are done correctly, you will get an option to login via Standalone Keycloak System on the archive's login page. The name displayed will be the Alias name you used in Step 4 of Identity Provider Configuration. Login with the user you created in User Configuration to see the archive UI page.

• Note that, if the user did not have the Email and First/Last name fields set in his/her profile in Standalone Keycloak system, the Update Profile page is seen when he/she authenticates with the user/password. This page shows the fields Username, Email, First Name, and Last Name. Once the fields are updated, user can proceed to see the archive UI page.
• This is because by default when you created the Identity Provider, the First Login Flow is set as first broker login.
• If one wants to skip the Update Profile page shown to the user when he/she logs in, one may do so by going to Authentication in dcm4che realm. Select First Broker Login. The Review Profile is Required. Go to Actions, select Config. Default value for Update Profile on First Login is missing. Change it to off and Save.