Introduction
As part of this guide, you will be taken through step-by-step to setup Keycloak for your Management SUITE. Naming of realm, clients and roles within clients need to be exactly as they appear in this document otherwise it will cause issues when attempting to access Config, Control and Analyze.
This is available on Synergy SKY Management SUITE 3.0 (31.00.4110 onwards)
To begin please get in touch with us by creating a ticket and we will provide instructions how to start Keycloak.
Initial Setup and Testing
- Select Synergy CONFIG from Synergy SKY homepage
- Confirm IP or FQDN ‘External Address’ has been added to Network under General Settings and click on the Save Changes button at the top of the screen
- If you have not reached out to us via ticket, please do so now as you will not be able to proceed.
- Reload the Synergy SKY homepage and there should now be a Keycloak icon to be clicked on
- Please wait at least 2 minutes before clicking for Keycloak to be fully enabled, otherwise webpage will not load
- Create a local Username and Password account and then login with those details to the Administration Console
- Move the cursor over the drop down that says Master and click on Add Realm
- Name the Realm SynergySKY and click on Create button
- Select Clients from the left hand panel and click Create button, three (3) will need to be created in total
- Create Client SynergySKYConfig
- Use SynergySKYConfig as Client ID and enter a valid Redirect URL for Synergy SKY appliance (E.g. https://<skyserver>/config) and press Save
- Scroll down the page and delete the Root URL information
- Valid Redirect URIs should have ‘/config/*’ at the end
- Add Base URL & Admin URL with ‘/config/’ at the end
- Remove URL from Web Origins and add a ‘+’ symbol to this field
- Configuration should look as below image and then click Save at the bottom of the page
- Use SynergySKYConfig as Client ID and enter a valid Redirect URL for Synergy SKY appliance (E.g. https://<skyserver>/config) and press Save
- Select the Roles tab and click on the Add Role button
- Create a Role Name ‘ConfigAdmin’, add a description and then click Save
- Create Client SynergySKYControl
- Use the same steps as for SynergySKYConfig above, changing Client ID to SynergySKYControl and all URL’s to ‘/control/’ then Save
- Select the Roles tab and click on the Add Role button
- Create a Role Name ‘ControlAdmin’, add a description and then click Save
- Use the same steps as for SynergySKYConfig above, changing Client ID to SynergySKYControl and all URL’s to ‘/control/’ then Save
- Create Client SynergySKYAnalyze
- Create a client for SynergySKYAnalyze in the same manner as per step 12)
- On the settings page, locate Access Type and change from ‘public’ to ‘confidential’
- Procced to use the same steps as for SynergySKYConfig above, changing all URL’s to ‘/analyze/’ and Web Origins to *, then Save
- Select the Roles tab and click on the Add Role button
- Create three (3) Roles ‘Admin’, ‘Editor’ & ‘Viewer’ adding a description and then click Save
- Select Mappers and click Add Builtin button
- Search for Client Roles, tick Add and click Add selected
- Click Client Roles to edit
- We want to set Client ID to SynergySKYAnalyze, change Token Claim to Role, toggle on Add to ID token and Add to userinfo. Click Save.
- Once all have been completed, Clients page should look similar to the below
- On the settings page, locate Access Type and change from ‘public’ to ‘confidential’
- Select Users from left hand panel and click Add User
- Create a local user (E.g. demo@test.com) then click Save
- Under the Credentials tab type a password (E.g. password), toggle Temporary to OFF and Set Password
- Under the Role Mappings tab use the Client Roles drop down to select ‘SynergySKYConfig’ and add ‘ConfigAdmin’ to Assigned Roles
- Add Roles from ‘SynergySKYControl’ & ‘SynergySKYAnalyze’ in the same manner
- You can assign all Analyze Roles to a single User or only one (1)
N.B. It is possibly to assign roles by default under the Groups heading in the left-hand panel. Here you can create a group, assign Client Roles and then add to Default Groups
- You can assign all Analyze Roles to a single User or only one (1)
- Open the Synergy SKY Config Tool page and select Authentication under the General Settings heading
- Toggle the switch to ON and confirm that the Realm and Client names created previously match what’s shown below
- To get the Analyze Client Secret, go back to the Keycloak configuration page and select the SynergySKYAnalyze client that was created in step 14
- Select the Credentials tab and copy the Secret from this page to the Analyze Client Secret in the Config Tool
- To get the Public Key, go back to the Keycloak configuration page and select Realm Settings
- Select the Keys tab and then click on the Public Key button across from RS256/RSA and copy text from the popup and paste into the Config Tool
- Once Analyze Client Secret and Public Key have been added, click on Verify Keycloak Login button and Sign In with the User (E.g. demo@test.com) account
- Once verified, click on Save Changes in the Config Tool and then deploy the configuration
- Open a new web browser and try to access Synergy SKY Config Tool page using the User created in Keycloak
Adding AD as Identity Provider
- In the Keycloak config page, select Identity Providers from left hand panel and choose OpenID Connect v1.0
- Give an Alias name (E.g. azuread)
- Give a Display Name (E.g. Azure AD)
- Copy Redirect URI information for use in Synergy SKY Management SUITE
Register Application in Azure AD
- Go to aad.portal.azure.com and log in
- Select App Registrations and then click New Registration
- Give application a Name (E.g. Keycloak Demo)
- Select the Supported account types (E.g. Single Tenant)
- Select Web for Redirect URI and paste link copied from Keycloak configuration page
- Click on Register
- Click on Endpoints on next screen and copy the OAuth 2.0 authorization endpoint (v2) and OAuth 2.0 token endpoint (v2) to the associated fields in Keycloak
- Close the Endpoints window and copy the Application (client) ID to the Client ID section of Keycloak, setting the Client Authentication method to Client secret sent as post
- A Client Secret is now required.
- In Azure AD, select Certificates & secrets and then click New client secret
- Add a Description (E.g. Keycloak Secret) and set the Expires timeframe (N.B. make a note of this if needing to renew at a future time) then click on Add
- Copy the Value of the secret once done
- Paste the secret into the Client Secret section in Keycloak configuration and add some Default Scopes (E.g. openid profile email) and then click on Save at the bottom of the page.
Try and login to Synergy SKY Config Tool from a new private window or a different web browser. There should now be a button at the bottom saying “Azure AD” or whatever Display Name was specified in step 3. Click on the button and login using AD.